Security researcher has published a PoC exploit for a vulnerability in Oracle VirtualBox. This vulnerability plagues VirtualBox versions before 7.0.16 and allows attackers with basic access to a Windows system running VirtualBox to escalate their privileges.
The vulnerability tracked as CVE-2024-21111 exploits a flaw in how VirtualBox manages log files. Attackers can trick VirtualBox into misusing its high-level system privileges for deleting or moving files. This grants attackers the ability to manipulate critical files and potentially take complete control of the affected system.
It allows an attacker with low-level access to the host machine to escalate their privileges to NT AUTHORITY\SYSTEM, the highest level of permissions on Windows systems. The exploit takes advantage of VirtualBox’s handling of log files, where the software attempts to move logs in C:\ProgramData\VirtualBox to back up positions by appending an ordinal number. However, due to a flaw in how more than ten logs are managed, VirtualBox inadvertently exposes itself to symbolic link attacks leading to arbitrary file deletion or movement.
Oracle has addressed the vulnerability in its recent Critical Patch Update (April 2024). If you use Oracle VirtualBox on a Windows machine, it is imperative that you update to version 7.0.16 or later immediately.
