This just hit Slashdot: "According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system."
One example article: https://www.zdnet.com/article/virtualbox-zero-day-published-by-disgruntled-researcher/ Slashdot: https://developers.slashdot.org/story/18/11/10/1739206/disgruntled-security-researcher-publishes-major-virtualbox-0-day-exploit His github repo has the technical details. He shows how you can create a console shell to start on the host by using a buffer overrun in the guest: https://github.com/MorteNoir1/virtualbox_e1000_0day The "disgruntled security researcher" part is difficult to read and understand due to broken English. More info is available on his github page. Stéphane -- <https://about.me/stephane.charette?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb> Stéphane Charette about.me/stephane.charette <https://about.me/stephane.charette?promo=email_sig&utm_source=product&utm_medium=email_sig&utm_campaign=gmail_api&utm_content=thumb>
_______________________________________________ vbox-dev mailing list [email protected] https://www.virtualbox.org/mailman/listinfo/vbox-dev
