Hi Kavita,
I hope you will forgive us our reluctance to discuss product security in
details in public forums. I can assure you, though, that the
set-uid-to-root approach is a necessary and, to our knowledge, secure
measure. Below I've give a couple of clues to help you a tiny bit along.
On 3/14/2014 9:55 PM, Kavita Agarwal wrote:
There seems to exist a cookie based authentication mechanism for these
requests. However, static cookie values are used - which may explain
the need to restrict these requests to be issued by only root to avoid
an attacker messing with a running VM.
The cookies are still there for hysterical raisins, dating back to long
before VirtualBox was open sourced (IIRC) and the world was a different
place security wise.
If the /dev/vboxdrv is opened for access to all, a possible attack can
be that the attacker will guess the pSession pointer and use that as
an argument in pReq to send fake ioctl requests for other VMs.
If you study the SUPDrv-linux.c file, you will see that the pSession
pointer is associated with the file descriptor for /dev/vboxdrv.
Please let us know if we are missing something or is our understanding
correct?
I'm sorry to have to say this, but I'm afraid your understanding is far
from complete at this point, both with respect to what vboxdrv is
capable of doing and how it works. VirtualBox has become a relatively
complicated affair over the years, so figuring out the more paranoid
parts isn't necessarily straight forward.
Kind Regards,
bird.
_______________________________________________
vbox-dev mailing list
[email protected]
https://www.virtualbox.org/mailman/listinfo/vbox-dev
