Malicious OVA files - is this technically possible?

This is for discussing general topics about how to use VirtualBox.
twonkleman
Posts: 4
Joined: 9. Aug 2021, 12:04

Malicious OVA files - is this technically possible?

Post by twonkleman »

An OVA file is convenient inasmuch as there is no need to configure the memory, sound, etc as for an ISO file.

However, could an OVA file contain some kind of malicious code / backdoor / exploit? The user will be either double-clicking the OVA or using Import in VirtualBox and selecting the OVA file.

Is it technically possible for an OVA file to contain malicious coder?
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Malicious OVA files - is this tecnically possible?

Post by scottgus1 »

OVA is really part of the OVF format, which is not controlled by Virtualbox. A web-search on malware vectors within OVF may give you more solid data.

However, an OVA is really a 'tar' archive. It consists of an OVF text file, .vmdk compressed disk file(s?), and (maybe?) a .mf text file or other certificates.

The .ovf contains XML. The .mf contains SHA hashes of the .ovf and the .vmdk.

The .ovf XML file may contain whatever malware vectors an XML file could contain.

The tar archive itself can contain whatever malware vectors a tar archive could contain.

The .vmdk can contain heaven knows what, so it should always be considered a malware possibility.

Since OVAs can be made by anyone, a responsible program should sanitize the data in the .ovf and the .mf, looking only for what it expects to find, rather than blindly running whatever it sees.

Some of the errors posted by users in the forum with failed OVA imports seem to demonstrate that Virtualbox sanitizes the OVF input. A perusal of the Virtualbox source code could check this more.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

An OVA is just a wrapper around a VMDK, i.e. around a disk image format, so it can contain any malware that could be on a disk.

Not really a problem though: the malware is confined to the VM, unless the user does several dumb and thoughtless things in a row to cause the infection to spread.
twonkleman
Posts: 4
Joined: 9. Aug 2021, 12:04

Re: Malicious OVA files - is this technically possible?

Post by twonkleman »

@scottgus1 - the only discussion I've found on this topic previously is https://security.stackexchange.com/ques ... an-exploit

In fact, a search for "malware vectors in OVF" brings up this thread as the top post.

Also, in terms of double-clicking the OVF file versus Importing it after loading VirtualBox, does the former introduce potential vulnerabilities that the latter does not? I assume the opening method doesn't matter since when one double-clicks the OVF file, the OS opens that file in VirtualBox (as the OS opens VirtualBox to display the OVF file). I'm just wondering if double-clicking to open the OVF outside VirtualBox potentially could introduce a vulnerability?
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

Importing an OVA doesn't present any risk at all, no matter how you do it. Malware doesn't spread by contact, it spreads when you run the code. I.e. you have to launch the VM, and then the malware will be inside the VM - one of the uses of which is to provide a safe test environment for malware. To "infect" the host you would then have to copy the malware to the host, and then you have to do something else to run it there (assuming the malware is compatible with the host).

Cutting to the chase: malware is not some kind of voodoo spell. It's merely a program that does something you wouldn't like, and like all programs it can't do anything until you run it. In the modern era very few programs get to run without your permission, especially if they are not digitally signed.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Malicious OVA files - is this technically possible?

Post by scottgus1 »

twonkleman wrote:in terms of double-clicking the OVF file versus Importing it after loading VirtualBox, does the former introduce potential vulnerabilities that the latter does not?
You'd have to peruse the Virtualbox source code to see if there are different routines for these two start-up methods. Double clicking comes into Virtualbox via command-line, whereas using File menu > Import is after Virtualbox is running. Do both methods use the same final routine?

Virtualbox has had OVA importing since version 2. It's unlikely there is a problem in the .ovf and .mf parsing functions. The big black hole is what's in the .vmdk. And folks take that risk downloading and running anything on their computers.
twonkleman
Posts: 4
Joined: 9. Aug 2021, 12:04

Re: Malicious OVA files - is this technically possible?

Post by twonkleman »

Virtualbox has had OVA importing since version 2. It's unlikely there is a problem in the .ovf and .mf parsing functions. The big black hole is what's in the .vmdk. And folks take that risk downloading and running anything on their computers.
Could the .vmdk file affect the host computer? Or just the VM itself?
twonkleman
Posts: 4
Joined: 9. Aug 2021, 12:04

Re: Malicious OVA files - is this technically possible?

Post by twonkleman »

mpack wrote:Importing an OVA doesn't present any risk at all, no matter how you do it. Malware doesn't spread by contact, it spreads when you run the code. I.e. you have to launch the VM, and then the malware will be inside the VM - one of the uses of which is to provide a safe test environment for malware. To "infect" the host you would then have to copy the malware to the host, and then you have to do something else to run it there (assuming the malware is compatible with the host).
So at the risk of asking an obvious question: say there is an OVA file which has VMDK code engineered to include some kind of malware / exploit / backdoor / etc. That code will only execute within VirtualBox itself (rather than the host). Yes?
Martin
Volunteer
Posts: 2560
Joined: 30. May 2007, 18:05
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: XP, Win7, Win10, Linux, OS/2

Re: Malicious OVA files - is this technically possible?

Post by Martin »

An OVA is a tar compressed file which contains:
- a text file .OVF which describes the VM configuration
- data files .VDMK which just contain the data of the virtual disk(s)
- sometomes a .MF text file which contains checksums for the other files

Nothing there could be a "program" which would get executed when the .OVA is unpacked or the VM is registered using the files inside.

The only possible exploit vector I can see would be a bug in the tar decompression algorithm. This would be known very fast because it is opensource and used everywhere whithout problems for decades.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Malicious OVA files - is this technically possible?

Post by fth0 »

Just in case it isn't clear by now, I'll give you another analogy:

If you buy a (physical) PC with pre-installed OS and software including active malware, and connect this PC to your local network, then it will try to attack your other devices over the network.

If you take a virtual machine (e.g. OVA file) with pre-installed OS and software including active malware from someone else, import it into VirtualBox, and connect this VM to your local network, then it will try to attack your other devices over the network.

A virtual machine is quite similar to a physical PC. You just don't have to crawl under the table to disconnect the network cable. ;)
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

fth0 wrote: then it will try to attack your other devices over the network.
IMO, that threat is largely overblown. I distinguish between :-
  • Denial of service attacks, which would certainly be possible, but why would anyone bother? And the cure is simple: disconnect the PC from the network and delete the malware (wipe the PC and reinstall the OS if you must). By its nature this malware is very overt, so if you have it you know about it.
  • Spyware attacks, mainly of IoT and cameras and so forth, looking for popular devices still using default admin passwords. This is a credible scenario, the malware by its nature tries to hide. This has happened, so don't leave default admin passwords on your network devices, and maybe also log the network traffic after connecting a new device (the Pi-hole is great for monitoring a network).
  • Infectious malware: this is what most people are worried about and is what I assume is intended by "attack other devices on your network", but it's the least of my concerns. I know of no way for malware to spread out of a VM except by modifying executable files found in shared folders, and the cure is again simple: don't keep executables in shared folders, at least not if you intend to run it on the host. And let's not forget that your host OS may also have security measures in place which will detect modified executables.
birdie
Posts: 428
Joined: 2. May 2010, 14:19
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Windows, Linux, other Unixes
Location: Artem S. Tashkinov
Contact:

Re: Malicious OVA files - is this technically possible?

Post by birdie »

Yes, but it's not even about this format it's about vulnerabilities in VirtualBox itself (which Oracle regularly fixes). A number of such vulnerabilities could allow the bad actor to escape the VM and run code on the host PC, which means you should never trust any premade VMs found on the net blindly.

Another possibility is a security error in parsing routines. If you kept on a eye on security mailing lists and news, you'd know that vulnerabilities have been found in many programs and libraries handling various types files, including image (jpeg, png), video, audio (mp3), media containers (AVI, MKV, etc.) and other formats (PDF, HTML and even EML).

Here are some examples:

1. FFmpeg: https://ffmpeg.org/security.html
2. libpng: https://www.cvedetails.com/vulnerabilit ... ibpng.html
3. JPEG-turbo: https://www.cvedetails.com/vulnerabilit ... turbo.html
4. WinAMP: https://www.cvedetails.com/vulnerabilit ... inamp.html
5. Windows Media Player: https://www.cvedetails.com/vulnerabilit ... layer.html (a metric ton of them)

And since VirtualBox uses kernel drivers to be extra safe you may want to run such VMs on a dedicated PC not directly connected to your LAN.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: Malicious OVA files - is this technically possible?

Post by mpack »

birdie wrote:If you kept on a eye on security mailing lists and news, you'd know that vulnerabilities have been found in many programs and libraries handling various types files
Most of the media coverage is scare stories, concerning theoretical exploits and not making it clear that it's only theoretical, or only exploits (e.g. causing your program to crash).

None of the examples you mention seem relevant to OVAs or to how VMs might affect the host.

I also don't believe it's true that Oracle "regularly" issues security related fixes for VirtualBox. I can think of two in the last decade (hardening and wannacry amelioration), and the latter of those wasn't really a VirtualBox security fix, it was coping with the performance effects of security fixes applied inside the guest OS. Actually the "split cache line" fix may be considered another of those.
birdie
Posts: 428
Joined: 2. May 2010, 14:19
Primary OS: Fedora other
VBox Version: PUEL
Guest OSses: Windows, Linux, other Unixes
Location: Artem S. Tashkinov
Contact:

Re: Malicious OVA files - is this technically possible?

Post by birdie »

mpack wrote:Most of the media coverage is scare stories, concerning theoretical exploits and not making it clear that it's only theoretical, or only exploits (e.g. causing your program to crash).

None of the examples you mention seem relevant to OVAs or to how VMs might affect the host.

I also don't believe it's true that Oracle "regularly" issues security related fixes for VirtualBox. I can think of two in the last decade (hardening and wannacry amelioration), and the latter of those wasn't really a VirtualBox security fix, it was coping with the performance effects of security fixes applied inside the guest OS. Actually the "split cache line" fix may be considered another of those.
https://www.cvedetails.com/vulnerabilit ... albox.html

Overall 301 vulnerabilities some of which have been practical, not theoretical (and allowing to escape the VM and run code on the host OS):

https://secret.club/2021/01/14/vbox-escape.html
https://www.helpnetsecurity.com/2018/11 ... cape-0day/
https://cve.mitre.org/cgi-bin/cvename.c ... -2014-0983
https://cve.mitre.org/cgi-bin/cvename.c ... -2018-2698

One of the recent hacking attempts which have netted a $40K reward:
EXPLOIT #5: Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category.

The exploit was successful - The researcher used an out-of-bounds read bug for an info leak and an unitialized variable for code execution on the VirtualBox hypervisor. He earns himself $40,000 and 4 Master of Pwn points.
I absolutely don't understand why you're so sure about VirtualBox being impenetrable. It hasn't been and new vulnerabilities are very likely to be found again considering the complexity of the code.
Last edited by birdie on 11. Aug 2021, 19:00, edited 1 time in total.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: Malicious OVA files - is this technically possible?

Post by scottgus1 »

Not weighing in on the non-OVA-related question re vulerabilities in Virtualbox, but I did notice something in several postings in the cvedetails.com link:
exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes
This sounds a lot like:
"If the attacker had physical access to your computer it's no longer your computer."
:D

Maybe as an encompassing answer to OP's question:

Yes it is technically possible for an OVA to be malicious. You'll have to weigh risk vs benefit to decide if downloading an OVA is good for you or the owners of the computer you're using. Some OVA distributors depend on a good internet reputation so they won't try to distribute malicious OVAs, but they could have been hacked. Calculate the risk and decide.
Locked