I actually want drag and drop!

[stevobm]

I'm a student in China, who have used Virtualbox for 6 years. I have also seen the growth of VB these years. However, I can't give up another VM while I'm using VB, whose name is VirtualPC. Sound incredible, right ? It's an old software, released in 2007(the version I use), but why can't I get rid of it ? The true reason is its perfect drag-and-drop support ! Even after so many years of the endeavor, I still can't drag a file into and out of VB elegantly. Maybe you will say, it's out of consideration of security and there are many other ways to share files as well. But what can be easier than a simple drag ? Why should we do it more complex ? More, if you don't provide drag and drop ,user will still put file in and out anyway, it's no more safe than drag itself. In a word, I want it, I want drag and drop, and I have been waiting for it for years, and around me ,there are millions of users like me are looking forward to it. I register this account to make our voices, wishing to get your attention!

[mpack]

Maybe you will say, it's out of consideration of security and there are many other ways to share files as well.

That's exactly what I'll say.

[VickersNick]

Well, in theory, drag and drop does exist but it only works from host > Linux guests. Per the manual:

Drag’n’Drop
This setting allows to enable Drag and Drop: Select a file on the desktop, click the
left mouse button, move the mouse to the VM window and release the mouse button. The
file is copied from the host to the guest. This feature is currently only implemented for
Linux guests and only for copying files from the host to the guest.

That said, I don't use it but in my limited time playing with it I have never gotten it to work.

However, as a suggestion, it might reduce the number of "why is drag and drop not working" threads if the non-functioning/implemented capabilities (Guest->Host, Bidirectional, etc) were grayed out. Then again, they just might be converted to "why is drag and drop grayed out" threads. Possibly generating a popup saying this was a future enhancement?

[dmresource]

I know it may be a bit old now but too want this. I have been using VirtualPC since 2001 and we could drag and drop..i had no security problems with this, and secondly if you have got software running that can do this running on your machine VB isn't going to stop it!

[scottgus1]

I don't find myself wishing to transfer files back and forth from host to guest via drag-n-drop much, because I have full networking set up. And I like to run fullscreen, so there's often no place to drag from or to in the same movement.

But I would like to weigh in on one thing regarding drag-n-drop. It may be a security hole, but it has been in use on other hypervisor platforms for years, and the world hasn't ended because of it. (Web-browsing is allowed in guests, and is a far more dangerous vector for security issues, and the world still hasn't ended...) If drag-n-drop, like shared clipboard, were turned off by default for those who didn't want it because of security concerns, and turning it on shows a suitable security warning in the orange text at the bottom of the Settings screen, then it could be used responsibly.

I'd have no idea how to program it so I can't contribute code. But I could think of a process for it using the already-existing file transfer channels in Virtualbox, namely, Guest Additions and Virtualbox Shared Folders: When the Drag-n-Drop is turned on, you have to set a Virtualbox Shared Folder as the Drag-n-Drop folder for the guest. Seeing as the host and Virtualbox are aware of when a mouse click happens in a window, Virtualbox could monitor when a file is picked up on the host and dropped on the guest, or vice versa. The file could then be transferred via VboxManage and VboxControl through the Virtualbox Shared Folder and moved to the destination desktop. Basically, automate the process by which it would manually be done without drag-n-drop.

[mpack]

(Web-browsing is allowed in guests, and is a far more dangerous vector for security issues, and the world still hasn't ended...)

Not comparable as far as I can see. I can't think of any way that web browsing in the guest, however insecure, can give the guest full access to the host.

And I'll remind you all that some of those VM platforms which allow drag and drop only support one host OS family and/or one guest OS family.

[VickersNick]

(Web-browsing is allowed in guests, and is a far more dangerous vector for security issues, and the world still hasn't ended...)

Not comparable as far as I can see. I can't think of any way that web browsing in the guest, however insecure, can give the guest full access to the host.

It could start with "drive by malware" but still would take a multi-staged process.

Stage 1 would exploit a web browser vulnerability (e.g. CVE-2014-1776 which affects Internet Explorer) that allows you to run arbitrary (i.e. your own) code on the guest. Once the guest is compromised stage 2 would involve exploiting a weakness in VirtualBox (e.g. the OpenGL vulnerability found in v4.3.6 and earlier) which allows you to run arbitrary code on the host. If you can run arbitrary code on the host, especially if you have Admin/root privileges, you can do pretty much anything: install keylogger or RAT, connect host to malicious server, etc, etc.

It wouldn't be easy and a lot of things could potentially break the chain but...it's possible.

[mpack]

That doesn't really strike me as a strong case. If we're going to assume VirtualBox bugs then we don't need an internet browser to cause problems. In any case, buffer overrun exploits have been way overhyped.

[VickersNick]

Your statement didn't set a ground rule of no VirtualBox bugs - I assume you also rule out shared folders, drag & drop, & bridged networking as ways a compromised guest can compromise a host. If you're assumption is a fully patched, bugless, invulnerable VM/Host/VirtualBox configuration then no, it's not possible.

Don't know what you mean by buffer overflows being over-hyped - they've been at the top of the vulnerability list for a long time.
http://www.cvedetails.com/vulnerabilities-by-types.php

[mpack]

Drag and drop is not implemented, see the above discussion.

As to the rest, no, I don't see a particular risk with shared folders or bridged networking comparable to that being discussed. Obviously one can do stupid things with shared folders, but that was never the point of this discussion.

I do wish people wouldn't provide irrelevant links as if authority trumps knowledge. Buffer overruns cause data and stack corruptions which in turn cause crashes. In theory a stack corruption could result in an invalid return address being loaded, and data being executed, but if you know of an instance where someone actually pulled that off outside of a lab, say with the OpenGL library, then do tell.

[VickersNick]

I do wish people wouldn't provide irrelevant links as if authority trumps knowledge.

Assuming you looked at the link, I don't know how you argue with those numbers.

Buffer overruns cause data and stack corruptions which in turn cause crashes. In theory a stack corruption could result in an invalid return address being loaded, and data being executed, but if you know of an instance where someone actually pulled that off outside of a lab, say with the OpenGL library, then do tell.

Maybe I'm reading you wrong mpack, but I get the impression that you view computer security as a lot of nonsense or scare tactics. I'm pretty sure the current hardening exercise Oracle is going through isn't because they were bored and had nothing else to do.

BoFs are not "theory." I have personally written exploits (in a security class) that used buffer overflow vulnerability to compromise a system. Just about any security course you'll take (OSCP, SANS, etc) will tell you that the example(s) you're working on are taken from real world cases. Now I wouldn't do that out in the real world because I don't feel like going to prison. I haven't done a BoF on the OpenGL library but this link demonstrates the VirtualBox vulnerability
"Which leads to a reliable VM-to-host escape and arbitrary code execution on the 64bit host OS without crashing VirtualBox."
http://www.vupen.com/blog/20140725.Adva ... Escape.php

As far as BoFs found in the wild go there was the Morris Worm (88), Bolgimo (03), and L10n (04). I don't know if they even bother naming them anymore given the amount of hacks that are discovered annually. I'd love to know how many 0-days are BoF related - a security expert would have to answer that.

[mpack]

I've been a software engineer for several decades; I've personally seen the malware scare grow from small beginnings after the very similar millenium bug scam ran out of time, so yes, I'm saying that the malware lore is almost entirely a sequence of scare stories.

That doesn't mean that there aren't crooks out there. But in most cases, if you follow a few simple precautions then you are essentially immune. When running a VM that basically means: don't download stuff into a VM and then run it on the host without checking it. Or, returning to the subject of this topic: don't enable drag and drop, since malware can use that to access files on the host, except now it's not restricted to shared folders.

Oh - and turn off autorun everywhere.

[VickersNick]

"Almost entirely scare stories", yet I assume you are still running anti-virus and firewall software on your Windows machine(s). However, since you acknowledge the existence of crooks out there, I infer that you view the threat as somewhere between "negligible" and "dire." I mean, if the malware threat is so overblown, we wouldn't be bogging down our systems with AV/Firewall processes, not clicking on foreign links, turning off autorun, being suspicious about e-mail attachments, etc.

I've been in the software industry for decades too. I've had to clean or rebuild a slew of infected machines ranging from rootkits to scareware ("Your machines is infected. Pay $$ to remove it.") A friend's laptop is so riddled with malware that it's sitting unused in his garage. I still get the occasional e-mail from an acquaintance's hacked e-mail account. And one guy I know was burned several weeks ago by a Cryptolocker derivative.

So in my view, those "sequence of scare stories" aren't scaring enough or the right people.

[mpack]

Don't conflate Firewall with AV. And no, I have never used resident AV on any of my PCs.

[Armando]

...don't enable drag and drop, since malware can use that to access files on the host, except now it's not restricted to shared folders...

I was just wondering about this issue a few weeks ago and I opened a topic here to get some advice
(viewtopic.php?f=1&t=77112&sid=366410d3a ... a00e09bce2).

The answers I received seem to suggest that, provided we trust the user (which should be the case, when you are using your own pc :] ), drag and drop should be even safer (or less dangerous) than shared folders and copy/paste.

...The guest can't control the host's mouse. It could control the mouse within the guest but can't move it outside.
The guest definitely can put whatever it likes in a shared folder. Depending on how you have the shared folder set up, that may or may not be a problem. I am not aware of any mechanism whereby the guest could copy files to a shared folder and run them on the host. ... if you trust the user (yourself) then DnD should be safe.

Do you agree?