Malicious OVA files - is this technically possible?
-
- Posts: 4
- Joined: 9. Aug 2021, 12:04
Malicious OVA files - is this technically possible?
An OVA file is convenient inasmuch as there is no need to configure the memory, sound, etc as for an ISO file.
However, could an OVA file contain some kind of malicious code / backdoor / exploit? The user will be either double-clicking the OVA or using Import in VirtualBox and selecting the OVA file.
Is it technically possible for an OVA file to contain malicious coder?
However, could an OVA file contain some kind of malicious code / backdoor / exploit? The user will be either double-clicking the OVA or using Import in VirtualBox and selecting the OVA file.
Is it technically possible for an OVA file to contain malicious coder?
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Malicious OVA files - is this tecnically possible?
OVA is really part of the OVF format, which is not controlled by Virtualbox. A web-search on malware vectors within OVF may give you more solid data.
However, an OVA is really a 'tar' archive. It consists of an OVF text file, .vmdk compressed disk file(s?), and (maybe?) a .mf text file or other certificates.
The .ovf contains XML. The .mf contains SHA hashes of the .ovf and the .vmdk.
The .ovf XML file may contain whatever malware vectors an XML file could contain.
The tar archive itself can contain whatever malware vectors a tar archive could contain.
The .vmdk can contain heaven knows what, so it should always be considered a malware possibility.
Since OVAs can be made by anyone, a responsible program should sanitize the data in the .ovf and the .mf, looking only for what it expects to find, rather than blindly running whatever it sees.
Some of the errors posted by users in the forum with failed OVA imports seem to demonstrate that Virtualbox sanitizes the OVF input. A perusal of the Virtualbox source code could check this more.
However, an OVA is really a 'tar' archive. It consists of an OVF text file, .vmdk compressed disk file(s?), and (maybe?) a .mf text file or other certificates.
The .ovf contains XML. The .mf contains SHA hashes of the .ovf and the .vmdk.
The .ovf XML file may contain whatever malware vectors an XML file could contain.
The tar archive itself can contain whatever malware vectors a tar archive could contain.
The .vmdk can contain heaven knows what, so it should always be considered a malware possibility.
Since OVAs can be made by anyone, a responsible program should sanitize the data in the .ovf and the .mf, looking only for what it expects to find, rather than blindly running whatever it sees.
Some of the errors posted by users in the forum with failed OVA imports seem to demonstrate that Virtualbox sanitizes the OVF input. A perusal of the Virtualbox source code could check this more.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Malicious OVA files - is this technically possible?
An OVA is just a wrapper around a VMDK, i.e. around a disk image format, so it can contain any malware that could be on a disk.
Not really a problem though: the malware is confined to the VM, unless the user does several dumb and thoughtless things in a row to cause the infection to spread.
Not really a problem though: the malware is confined to the VM, unless the user does several dumb and thoughtless things in a row to cause the infection to spread.
-
- Posts: 4
- Joined: 9. Aug 2021, 12:04
Re: Malicious OVA files - is this technically possible?
@scottgus1 - the only discussion I've found on this topic previously is https://security.stackexchange.com/ques ... an-exploit
In fact, a search for "malware vectors in OVF" brings up this thread as the top post.
Also, in terms of double-clicking the OVF file versus Importing it after loading VirtualBox, does the former introduce potential vulnerabilities that the latter does not? I assume the opening method doesn't matter since when one double-clicks the OVF file, the OS opens that file in VirtualBox (as the OS opens VirtualBox to display the OVF file). I'm just wondering if double-clicking to open the OVF outside VirtualBox potentially could introduce a vulnerability?
In fact, a search for "malware vectors in OVF" brings up this thread as the top post.
Also, in terms of double-clicking the OVF file versus Importing it after loading VirtualBox, does the former introduce potential vulnerabilities that the latter does not? I assume the opening method doesn't matter since when one double-clicks the OVF file, the OS opens that file in VirtualBox (as the OS opens VirtualBox to display the OVF file). I'm just wondering if double-clicking to open the OVF outside VirtualBox potentially could introduce a vulnerability?
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Malicious OVA files - is this technically possible?
Importing an OVA doesn't present any risk at all, no matter how you do it. Malware doesn't spread by contact, it spreads when you run the code. I.e. you have to launch the VM, and then the malware will be inside the VM - one of the uses of which is to provide a safe test environment for malware. To "infect" the host you would then have to copy the malware to the host, and then you have to do something else to run it there (assuming the malware is compatible with the host).
Cutting to the chase: malware is not some kind of voodoo spell. It's merely a program that does something you wouldn't like, and like all programs it can't do anything until you run it. In the modern era very few programs get to run without your permission, especially if they are not digitally signed.
Cutting to the chase: malware is not some kind of voodoo spell. It's merely a program that does something you wouldn't like, and like all programs it can't do anything until you run it. In the modern era very few programs get to run without your permission, especially if they are not digitally signed.
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Malicious OVA files - is this technically possible?
You'd have to peruse the Virtualbox source code to see if there are different routines for these two start-up methods. Double clicking comes into Virtualbox via command-line, whereas using File menu > Import is after Virtualbox is running. Do both methods use the same final routine?twonkleman wrote:in terms of double-clicking the OVF file versus Importing it after loading VirtualBox, does the former introduce potential vulnerabilities that the latter does not?
Virtualbox has had OVA importing since version 2. It's unlikely there is a problem in the .ovf and .mf parsing functions. The big black hole is what's in the .vmdk. And folks take that risk downloading and running anything on their computers.
-
- Posts: 4
- Joined: 9. Aug 2021, 12:04
Re: Malicious OVA files - is this technically possible?
Could the .vmdk file affect the host computer? Or just the VM itself?Virtualbox has had OVA importing since version 2. It's unlikely there is a problem in the .ovf and .mf parsing functions. The big black hole is what's in the .vmdk. And folks take that risk downloading and running anything on their computers.
-
- Posts: 4
- Joined: 9. Aug 2021, 12:04
Re: Malicious OVA files - is this technically possible?
So at the risk of asking an obvious question: say there is an OVA file which has VMDK code engineered to include some kind of malware / exploit / backdoor / etc. That code will only execute within VirtualBox itself (rather than the host). Yes?mpack wrote:Importing an OVA doesn't present any risk at all, no matter how you do it. Malware doesn't spread by contact, it spreads when you run the code. I.e. you have to launch the VM, and then the malware will be inside the VM - one of the uses of which is to provide a safe test environment for malware. To "infect" the host you would then have to copy the malware to the host, and then you have to do something else to run it there (assuming the malware is compatible with the host).
-
- Volunteer
- Posts: 2561
- Joined: 30. May 2007, 18:05
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: XP, Win7, Win10, Linux, OS/2
Re: Malicious OVA files - is this technically possible?
An OVA is a tar compressed file which contains:
- a text file .OVF which describes the VM configuration
- data files .VDMK which just contain the data of the virtual disk(s)
- sometomes a .MF text file which contains checksums for the other files
Nothing there could be a "program" which would get executed when the .OVA is unpacked or the VM is registered using the files inside.
The only possible exploit vector I can see would be a bug in the tar decompression algorithm. This would be known very fast because it is opensource and used everywhere whithout problems for decades.
- a text file .OVF which describes the VM configuration
- data files .VDMK which just contain the data of the virtual disk(s)
- sometomes a .MF text file which contains checksums for the other files
Nothing there could be a "program" which would get executed when the .OVA is unpacked or the VM is registered using the files inside.
The only possible exploit vector I can see would be a bug in the tar decompression algorithm. This would be known very fast because it is opensource and used everywhere whithout problems for decades.
-
- Volunteer
- Posts: 5678
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Malicious OVA files - is this technically possible?
Just in case it isn't clear by now, I'll give you another analogy:
If you buy a (physical) PC with pre-installed OS and software including active malware, and connect this PC to your local network, then it will try to attack your other devices over the network.
If you take a virtual machine (e.g. OVA file) with pre-installed OS and software including active malware from someone else, import it into VirtualBox, and connect this VM to your local network, then it will try to attack your other devices over the network.
A virtual machine is quite similar to a physical PC. You just don't have to crawl under the table to disconnect the network cable.
If you buy a (physical) PC with pre-installed OS and software including active malware, and connect this PC to your local network, then it will try to attack your other devices over the network.
If you take a virtual machine (e.g. OVA file) with pre-installed OS and software including active malware from someone else, import it into VirtualBox, and connect this VM to your local network, then it will try to attack your other devices over the network.
A virtual machine is quite similar to a physical PC. You just don't have to crawl under the table to disconnect the network cable.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Malicious OVA files - is this technically possible?
IMO, that threat is largely overblown. I distinguish between :-fth0 wrote: then it will try to attack your other devices over the network.
- Denial of service attacks, which would certainly be possible, but why would anyone bother? And the cure is simple: disconnect the PC from the network and delete the malware (wipe the PC and reinstall the OS if you must). By its nature this malware is very overt, so if you have it you know about it.
- Spyware attacks, mainly of IoT and cameras and so forth, looking for popular devices still using default admin passwords. This is a credible scenario, the malware by its nature tries to hide. This has happened, so don't leave default admin passwords on your network devices, and maybe also log the network traffic after connecting a new device (the Pi-hole is great for monitoring a network).
- Infectious malware: this is what most people are worried about and is what I assume is intended by "attack other devices on your network", but it's the least of my concerns. I know of no way for malware to spread out of a VM except by modifying executable files found in shared folders, and the cure is again simple: don't keep executables in shared folders, at least not if you intend to run it on the host. And let's not forget that your host OS may also have security measures in place which will detect modified executables.
-
- Posts: 429
- Joined: 2. May 2010, 14:19
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: Windows, Linux, other Unixes
- Location: Artem S. Tashkinov
- Contact:
Re: Malicious OVA files - is this technically possible?
Yes, but it's not even about this format it's about vulnerabilities in VirtualBox itself (which Oracle regularly fixes). A number of such vulnerabilities could allow the bad actor to escape the VM and run code on the host PC, which means you should never trust any premade VMs found on the net blindly.
Another possibility is a security error in parsing routines. If you kept on a eye on security mailing lists and news, you'd know that vulnerabilities have been found in many programs and libraries handling various types files, including image (jpeg, png), video, audio (mp3), media containers (AVI, MKV, etc.) and other formats (PDF, HTML and even EML).
Here are some examples:
1. FFmpeg: https://ffmpeg.org/security.html
2. libpng: https://www.cvedetails.com/vulnerabilit ... ibpng.html
3. JPEG-turbo: https://www.cvedetails.com/vulnerabilit ... turbo.html
4. WinAMP: https://www.cvedetails.com/vulnerabilit ... inamp.html
5. Windows Media Player: https://www.cvedetails.com/vulnerabilit ... layer.html (a metric ton of them)
And since VirtualBox uses kernel drivers to be extra safe you may want to run such VMs on a dedicated PC not directly connected to your LAN.
Another possibility is a security error in parsing routines. If you kept on a eye on security mailing lists and news, you'd know that vulnerabilities have been found in many programs and libraries handling various types files, including image (jpeg, png), video, audio (mp3), media containers (AVI, MKV, etc.) and other formats (PDF, HTML and even EML).
Here are some examples:
1. FFmpeg: https://ffmpeg.org/security.html
2. libpng: https://www.cvedetails.com/vulnerabilit ... ibpng.html
3. JPEG-turbo: https://www.cvedetails.com/vulnerabilit ... turbo.html
4. WinAMP: https://www.cvedetails.com/vulnerabilit ... inamp.html
5. Windows Media Player: https://www.cvedetails.com/vulnerabilit ... layer.html (a metric ton of them)
And since VirtualBox uses kernel drivers to be extra safe you may want to run such VMs on a dedicated PC not directly connected to your LAN.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: Malicious OVA files - is this technically possible?
Most of the media coverage is scare stories, concerning theoretical exploits and not making it clear that it's only theoretical, or only exploits (e.g. causing your program to crash).birdie wrote:If you kept on a eye on security mailing lists and news, you'd know that vulnerabilities have been found in many programs and libraries handling various types files
None of the examples you mention seem relevant to OVAs or to how VMs might affect the host.
I also don't believe it's true that Oracle "regularly" issues security related fixes for VirtualBox. I can think of two in the last decade (hardening and wannacry amelioration), and the latter of those wasn't really a VirtualBox security fix, it was coping with the performance effects of security fixes applied inside the guest OS. Actually the "split cache line" fix may be considered another of those.
-
- Posts: 429
- Joined: 2. May 2010, 14:19
- Primary OS: Fedora other
- VBox Version: PUEL
- Guest OSses: Windows, Linux, other Unixes
- Location: Artem S. Tashkinov
- Contact:
Re: Malicious OVA files - is this technically possible?
https://www.cvedetails.com/vulnerabilit ... albox.htmlmpack wrote:Most of the media coverage is scare stories, concerning theoretical exploits and not making it clear that it's only theoretical, or only exploits (e.g. causing your program to crash).
None of the examples you mention seem relevant to OVAs or to how VMs might affect the host.
I also don't believe it's true that Oracle "regularly" issues security related fixes for VirtualBox. I can think of two in the last decade (hardening and wannacry amelioration), and the latter of those wasn't really a VirtualBox security fix, it was coping with the performance effects of security fixes applied inside the guest OS. Actually the "split cache line" fix may be considered another of those.
Overall 301 vulnerabilities some of which have been practical, not theoretical (and allowing to escape the VM and run code on the host OS):
https://secret.club/2021/01/14/vbox-escape.html
https://www.helpnetsecurity.com/2018/11 ... cape-0day/
https://cve.mitre.org/cgi-bin/cvename.c ... -2014-0983
https://cve.mitre.org/cgi-bin/cvename.c ... -2018-2698
One of the recent hacking attempts which have netted a $40K reward:
I absolutely don't understand why you're so sure about VirtualBox being impenetrable. It hasn't been and new vulnerabilities are very likely to be found again considering the complexity of the code.EXPLOIT #5: Phi Phạm Hồng (@4nhdaden) of STAR Labs (@starlabs_sg) targeted Oracle VirtualBox in the Virtualization category.
The exploit was successful - The researcher used an out-of-bounds read bug for an info leak and an unitialized variable for code execution on the VirtualBox hypervisor. He earns himself $40,000 and 4 Master of Pwn points.
Last edited by birdie on 11. Aug 2021, 19:00, edited 1 time in total.
-
- Site Moderator
- Posts: 20945
- Joined: 30. Dec 2009, 20:14
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Windows, Linux
Re: Malicious OVA files - is this technically possible?
Not weighing in on the non-OVA-related question re vulerabilities in Virtualbox, but I did notice something in several postings in the cvedetails.com link:
Maybe as an encompassing answer to OP's question:
Yes it is technically possible for an OVA to be malicious. You'll have to weigh risk vs benefit to decide if downloading an OVA is good for you or the owners of the computer you're using. Some OVA distributors depend on a good internet reputation so they won't try to distribute malicious OVAs, but they could have been hacked. Calculate the risk and decide.
This sounds a lot like:exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes
"If the attacker had physical access to your computer it's no longer your computer."
Maybe as an encompassing answer to OP's question:
Yes it is technically possible for an OVA to be malicious. You'll have to weigh risk vs benefit to decide if downloading an OVA is good for you or the owners of the computer you're using. Some OVA distributors depend on a good internet reputation so they won't try to distribute malicious OVAs, but they could have been hacked. Calculate the risk and decide.