Read more: Boosty | Sponsr | TG

• Impact: The impacts on confidentiality, integrity, and

availability are all rated high (C:H/I:H/A:H), indicating
that an exploit could lead to a complete compromise of
the affected system's confidentiality, integrity, and
availability.
• Exploitation Method: The vulnerability can be
exploited through symbolic link (symlink) attacks. This
involves manipulating symbolic links to redirect
operations intended for legitimate files or directories to
other targets, which the attacker controls. This can lead
to arbitrary file deletion or movement, potentially
allowing the attacker to execute arbitrary code with
elevated privileges.
• Specific Mechanism: The vulnerability specifically
involves the manipulation of log files by the VirtualBox
system service (VboxSDS). The service, which runs
with SYSTEM privileges, manages log files in a
directory that does not have strict access controls. This
allows a low privileged user to manipulate these files,
potentially leading to privilege escalation. The service
performs file rename/move operations recursively, and
if manipulated correctly, this behavior can be abused to
Abstract –this document provides a comprehensive analysis of CVE- perform unauthorized actions.
2024-21111, a critical vulnerability in Oracle VM VirtualBox • Mitigation: Users are advised to update their
affecting Windows hosts. The analysis will cover various aspects of VirtualBox to version 7.0.16 or later, which contains the
the vulnerability, including its technical details, exploitation necessary patches to mitigate this vulnerability
mechanisms, potential impacts on different industries.
This document provides a high-quality summary of the vulnerability, III. AFFECTED INDUSTRIES
offering valuable insights for security professionals and other
stakeholders across various industries. The analysis is beneficial for A. IT and Software Development
understanding the risks associated with CVE-2024-21111 and • Virtualization Infrastructure: IT companies and cloud
implementing effective measures to safeguard systems against service providers often use VirtualBox for creating and
potential attacks. managing virtual environments. Exploitation of this
vulnerability could lead to unauthorized access and
I. INTRODUCTION control over virtual machines, compromising the
CVE-2024-21111 is a significant security vulnerability integrity and confidentiality of hosted services and data.
identified in Oracle VM VirtualBox, specifically affecting • Service Disruption: A successful attack could disrupt
Windows hosts. This vulnerability is present in versions of services provided to clients, leading to downtime and
VirtualBox prior to 7.0.16. It allows a low privileged attacker potential financial losses.
with logon access to the infrastructure where Oracle VM
VirtualBox is executed to potentially take over the system B. Education and Training
• Research Data: VirtualBox is used for research and
An attacker exploiting this vulnerability could achieve academic purposes. Unauthorized access could
unauthorized control over the affected Oracle VM VirtualBox. compromise research data and intellectual property.
The specific technical mechanism involves local privilege
escalation through symbolic link following, which can lead to • Service Availability: Disruption of virtualized
arbitrary file deletion and movement. environments affect online learning platforms and
administrative functions.
II. TECHNICAL DETAILS
C. Cybersecurity and Forensics:
• Vulnerability Type: Local Privilege Escalation (LPE)
allows a low privileged attacker who already has access • Data Security: Cybersecurity and forensics
to the system to gain higher privileges. professionals often use virtual machines to analyze
malware, conduct penetration testing, and perform
• Attack Vector and Complexity: The CVSS 3.1 vector forensic investigations in isolated environments. A
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) compromised VirtualBox could lead to unauthorized
indicates that the attack vector is local (AV:L), meaning access to sensitive forensic data and tools, potentially
the attacker needs local access to the host. The attack compromising the integrity of investigations.
complexity is low (AC:L), and no user interaction
(UI:N) is required. The privileges required are low • Unauthorized Access: Attackers gain access to forensic
(PR:L), suggesting that an attacker with basic user tools and data, manipulate evidence, or disrupt ongoing
privileges can exploit this vulnerability. investigations by escalating privileges.
 Read more: Boosty | Sponsr | TG
D. Enterprise and Business: • Operational Impact: System takeovers could disrupt
• Customer Data: Enterprises and businesses use critical healthcare services, affecting patient care and
VirtualBox for various purposes, including software operational efficiency.
development, testing, and running legacy applications. J. Government and Defense:
A successful exploit could lead to unauthorized access
to corporate data, intellectual property, and critical • National Security: Government agencies and defense
business applications. organizations use virtualization for secure and efficient
operations. A breach could lead to unauthorized access
• Operational Impact: The vulnerability could result in to classified information, posing national security risks.
data breaches, loss of sensitive information, and
disruption of business operations, leading to financial • Operational Disruption: Compromised systems could
and reputational damage. disrupt essential government services and defense
operations.
E. Product Demonstrations and Sales:
IV. ROOT OF CAUSE
• Customer Data VirtualBox is often used for product
demonstrations and sales presentations to showcase The root cause of CVE-2024-21111 in Oracle VM
software and solutions in a controlled environment. An VirtualBox is a local privilege escalation vulnerability that stems
attacker exploiting this vulnerability could disrupt from the improper handling of symbolic links and file operations
demonstrations, access proprietary software, or within the VirtualBox environment.
manipulate the demonstration environment.
• Symbolic Link Following: The vulnerability allows for
• Brand Impact: This could lead to loss of customer trust, the exploitation of symbolic link following, where
potential exposure of proprietary software, and negative VirtualBox, running with system-level privileges,
impacts on sales and marketing efforts. attempts to move or delete log files in the
C:\ProgramData\VirtualBox directory. This directory
F. Industrial Automation: and its operations are accessible and writable by all users
• Automation Infrastructure: In industrial automation,
VirtualBox may be used to simulate and test automation • Improper File Handling: VirtualBox tries to manage
systems before deployment. A compromised log files by moving them to back them up and deleting
VirtualBox could lead to unauthorized access to the oldest log when more than ten logs exist. This
industrial control systems, potentially causing operation is performed without proper validation or
disruptions in manufacturing processes. security checks to ensure that the files being
manipulated are not maliciously linked to other critical
• Service Disruption: This could result in production system files or directories.
downtime, safety hazards, and financial losses due to
disrupted manufacturing operations. • Insecure Permissions: C:\ProgramData\VirtualBox
directory inherits permissions that allow all users to
G. Remote Work and Virtual Desktops: create and modify files. This lax permission setting
• Sensitive Data: VirtualBox is widely used to provide enables low-privileged users to create symbolic links
virtual desktop environments for remote workers. that can redirect file operations intended for log files to
Exploiting this vulnerability could allow attackers to any other file or directory, leading to unauthorized
gain control over virtual desktops, access sensitive actions being performed with elevated privileges
corporate data, and disrupt remote work operations.
V. ATTACK FLOW & SCENARIO
• Data Leakage: This could lead to data breaches, loss of CVE-2024-21111 is a local privilege escalation vulnerability
productivity, and increased security risks for remote in Oracle VM VirtualBox, specifically affecting Windows hosts.
workers and the organizations they work for.
A. Attack flow
H. Financial Services:
• Initial Access and Environment Setup: The attacker
• Data Security: Financial institutions use virtualization must have low-level user privileges and logon access to
to isolate sensitive data and applications. An attacker a system where Oracle VM VirtualBox is installed. The
gaining SYSTEM privileges could access, modify, or versions affected are prior to 7.0.16.
delete sensitive financial data, leading to severe
regulatory and financial repercussions. • Exploitation of Symbolic Link Following: The core of
the vulnerability lies in the exploitation of symbolic link
• Compliance Risks: Breaches could result in non- following within the VirtualBox environment. This
compliance with financial regulations and standards, allows the attacker to perform unauthorized actions such
attracting penalties and damaging reputation. as arbitrary file deletion and movement.
I. Healthcare: • Manipulation of Log Files: VirtualBox attempts to
• Patient Data: Healthcare providers use virtualized manage log files under the directory
environments to manage patient records and other C:\ProgramData\VirtualBox. These files are handled by
sensitive information. Exploitation of this vulnerability the system with elevated privileges. The system tries to
could lead to unauthorized access to patient data, move these log files to back them up, maintaining only
violating privacy laws such as HIPAA. the latest 10 logs and attempting to delete the 11th log.
 Read more: Boosty | Sponsr | TG
• Privilege Escalation: Due to the vulnerability, the AUTHORITY\SYSTEM, attempts to move log files
attacker can exploit the way VirtualBox handles these within C:\ProgramData\VirtualBox to back them up by
log files to escalate their privileges. By manipulating the an ordinal system, maintaining a maximum of 10 logs.
symbolic links or the log files themselves, the attacker When the number of logs exceeds this limit, VirtualBox
can force the system to execute arbitrary actions with tries to delete the 11th log.
system-level privileges.
• Exploitation Mechanism: The exploitation of this
• System Takeover: Once the attacker has escalated their vulnerability is facilitated by the fact that the
privileges to the system level, they can execute further C:\ProgramData\VirtualBox directory is writable by all
malicious activities, leading to a full system takeover. users. This allows an attacker to exploit the process of
moving and deleting log files to escalate privileges. The
B. Attack Scenario vulnerability exposes two bugs related to this process
1) Initial Setup that can lead to privilege escalation.
• Environment: Windows system running a vulnerable • Privilege Escalation Path: By exploiting the symbolic
version of Oracle VM VirtualBox (prior to 7.0.16). link following vulnerability, an attacker can manipulate
• Permissions: The attacker has low-level user access the file operations performed by VirtualBox (as NT
with the ability to log on to the system. AUTHORITY\SYSTEM) to achieve arbitrary file
2) Exploitation Steps deletion or movement. This can lead to unauthorized
actions being performed with system-level privileges
• Identify Target Directory: The attacker identifies the
C:\ProgramData\VirtualBox directory, which is used by The GitHub repository for CVE-2024-21111 provides proof
VirtualBox to store log files. This directory is writable of concept (PoC) scripts that demonstrate the local privilege
by all users, which is a key factor in the exploitation. escalation vulnerability in VM VirtualBox are in the directories
• Create Symbolic Links: The attacker creates symbolic VirtualBoxLPE_move and VirtualBoxLPE_del.
links in the C:\ProgramData\VirtualBox directory to
redirect file operations (such as move or delete) to A. Input Data for Scripts
critical system files or directories. • The path to directory (C:\ProgramData\VirtualBox),
• Trigger File Operations: which is where VirtualBox manages log files.
o Move Operation: When VirtualBox attempts to • Specific parameters or configurations that mimic the
move a log file, it instead moves the targeted file, operations performed by VirtualBox, such as moving or
potentially causing unauthorized file movements. deleting log files.
o Delete Operation: When VirtualBox attempts to 1) VirtualBoxLPE_move:
delete an old log file, it instead deletes the targeted This script requires input specifying which log files to move
system file. and the new location or manner in which these files should be
• Privilege Escalation: By manipulating these file moved. The input could also include the creation of symbolic
operations, the attacker performs actions that are links that redirect these operations to unintended targets.
normally restricted to higher-privileged accounts. This
leads to the escalation of privileges to the highest level 2) VirtualBoxLPE_del:
of privilege on Windows systems. Like the move script, this deletion script relates on input
specifying which log files to delete. The script might also
3) Post-Exploitation involve the creation of symbolic links that cause the deletion
• System Takeover: With SYSTEM privileges attacker: operation to affect unintended files or directories.
o Execute elevated arbitrary commands. B. Outcomes After Running the Scripts
o Access and modify any file on the system.
1) VirtualBoxLPE_move:
o Install malicious software or backdoors. After running this script, the outcome is that the log files are
o Create new accounts with administrative privileges. moved in a way that exploits the symbolic link following
• Persistence and Lateral Movement: The attacker can vulnerability. This leads to unauthorized file movements,
establish persistence mechanisms to maintain access to potentially allowing an attacker to relocate system files or other
the compromised system and potentially move laterally sensitive files to locations with less secure permissions.
within the network to compromise additional systems. 2) VirtualBoxLPE_del:
The outcome of running this deletion script is the deletion of
VI. POC
files or directories that were not originally intended to be
The GitHub repository for CVE-2024-21111, hosted by deleted. By exploiting the symbolic link following, an attacker
mansk1es, details a Local Privilege Escalation (LPE) could redirect the deletion process to remove critical system files
vulnerability in Oracle VirtualBox versions or other protected data, leading to system instability or further
security compromises.
• Affected Component: The vulnerability affects the way
VirtualBox handles log files. VirtualBox, running as NT