GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943)

[Nytro]

[h=1]GKsu and VirtualBox Root Command Execution by Filename (CVE-2014-2943)[/h]Posted by Brandon Perry in Metasploit on Jul 7, 2014 11:59:03 AM [h=2]Poisoning VirtualBox via Crafted Filenames[/h]When I began researching this, I believed the vulnerability laid within Virtualbox, but I realized this was not true after a bit. The vulnerability being hit is actually within gksu itself. In fact, virtual box did everything right (sort of). I do take advantage of a weakness in the way they validate their extension packs, but the reason the vulnerability results in a root shell is because the vulnerability is hit after gksu escalates privs to root. You *must* install the extension pack via the helper app, so that means double clicking or opening from the graphical UI. This also works when reinstalling the same (but maliciously-renamed) extension pack.

Incidentally, this bug was already reported in the maintainer's bug tracker, but it seems unclear of the true, dangerous scope of the bug, when it comes to things like VirtualBox, various package manageres, et cetera.

Articol: https://community.rapid7.com/community/metasploit/blog/2014/07/07/virtualbox-filename-command-execution-via-gksu