Shared Folders in-depth discussion

[Sufan]

Hi VBox community,

First off I would like to note that I have researched this for quite some time and read many forum topics about this from the past. I intend to use VirtualBox as a complete replacement for all my host security software and as such, I need more in depth info about shared folders in order to make a decision. This topic is not meant to be a rehash but a means to supersede all former discussions and build on what was said.

Here is what I know:

According to what was written before, Shared Folders is assumed to be safe to use as long as:

- only a common non root directory is selected for that purpose
- no executable that was placed in there will ever be re-executed on the host - since it could have been patched by something malicious.
- any non-script/non-executable file is considered to be safe and unable to carry something dangerous*3
- As long as file extensions view is enabled it is very simple to verify that it's not an exe masquerading as a data file
- Disabling Autorun is important *1
- What a virus could do to a shared directory is constrained by the host file sharing protocol <- this is what I would like to discuss more as it has significant security implications. *2

*1 Why would disabling autorun matter in this case? If the host views the shared folder as only such then how can an Autorun script be automatically executed sans any direct user interaction? Isn't this only done for drives attached to the host?

*2 From what I've looked up, SMB/SMB 2 is very insecure. Take for example this advisory: --saintcorporation (.) com/cgi-bin/demo_tut.pl?tutorial_name=Samba_vulnerabilities.html&fact_color=&tag=

So if this protocol has weaknesses, wouldn't this imply that data in the mapped virtual drive could be manipulated as such?

A remote attacker could create accounts, read part of the credentials file, execute arbitrary commands, cause a denial of service, write to arbitrary files, gain elevated privileges, or disable logging of failed login attempts in a brute-force password attack.

*3 Not really my main focus here, but I am curious as to what happens when a file is associated with an alternate data stream (ADS).





Also considering that security policy for the shared folder is enforced according to the file permissions of the host, what would happen if these are inherently insecure? I don't trust anything Microsoft based to have implemented anything security related correctly, which was why I am using virtualization in the first place. Unless VBox GAs uses its own special hardened protocol to do data transfers.


I want to identify the weakest link in the process. Transferring files form an un-trusted guest is the last bit I have to figure out before ditching my bloated host HIPS. Network wise, everything is handled which leaves this vector as my remaining concern.

If it turns out that shared folders are exploitable in the ways I have identified, then basically I am as safe as the guest OS I am using which defeats the purpose of what I am trying to achieve. I am trying to get the combined ease of use of Windows and the security of VirtualBox.

Any responses are appreciated especially from experts.
Thanks.

[mpack]

*1 Why would disabling autorun matter in this case? If the host views the shared folder as only such then how can an Autorun script be automatically executed sans any direct user interaction? Isn't this only done for drives attached to the host?

I've never heard of autorun being relevant for shared folders. It is relevant for USB drives and CDs. The last time I met a virus (I won't say "infected" because I wasn't), it was yet another stupid mickey mouse thing written by the usual hopeless incompetant, which copied itself using the autorun feature on a flash drive. Once on a host it would copy itself to any other flash drives inserted. Every time I let a colleague borrow my USB flash drive, it came back with that crap on it, because my colleague is an idiot too. Anyone who turns autorun off (as I do) is immune of course. I also also show hidden files, and extensions, so I could easily spot the executable file too.

From what I've looked up, SMB/SMB 2 is very insecure.

Are you talking about secrecy or malware prevention? If the latter then I think you are confusing exploits with security holes. There have been lots of scare stories which boil down to aforesaid hopeless incompetant managing to crash a particular version of a particular program. Crashes are not a security problem, however in theory an expertly tailored extension of that technique could potentially be used to hijack the computer - but I have yet to hear about the theoretical potential ever being converted to actual fact.

A computer does not run programs by accident. Loading executable code, allocating RAM and CPU time to it, are all quite complex tasks that do not happen by themselves. So if the protocol does not include an explicit mechanism for copying and remote execution of code (and as far as I know, SMB doesn't), then the chances of transmitting a working program over a network are IMHO so near enough to NIL that it isn't worth bothering about. Note that this is not at all the same subject as transferring a executable file, which is of course possible, but harmless until someone actually executes the file.

[Sufan]

I've never heard of autorun being relevant for shared folders. It is relevant for USB drives and CDs.

Thanks for confirming this.

Are you talking about secrecy or malware prevention? If the latter then I think you are confusing exploits with security holes. There have been lots of scare stories which boil down to aforesaid hopeless incompetant managing to crash a particular version of a particular program. Crashes are not a security problem, however in theory an expertly tailored extension of that technique could potentially be used to hijack the computer - but I have yet to hear about the theoretical potential ever being converted to actual fact.

I was talking about the security aspect. I understand that there are scaremongers out there who make a living by convincing uneducated individuals with virus hoaxes. However, I'd like to think that I have a good knowledge of how exploits work; the fact that something can be crashed is not a security hole in my book, however it indicates that there could be other flaws to be taken advantage of to get something useful out of it. The massive numbers of driveby malware proves that without any user intervention remote code could be executed automatically. I don't believe in patching and so infections will be there.

So if the protocol does not include an explicit mechanism for copying and remote execution of code (and as far as I know, SMB doesn't)

That's good to know, but isn't an exploit by definition something that could glitch a specific mechanism and make it do actions it normally wouldn't do?

The fact that a remote attack could cause code execution on a samba server means that a worm could copy and execute itself in the shared folder without my intervention - just like it would do in a normal network environment. The worm initially could get there from a browser drive by attack.

After searching some more I found hints that GAs do indeed use a file transfer protocol specific to VirtualBox. Can you confirm if thats the case and the security mechanisms built for it?

[mpack]

That's good to know, but isn't an exploit by definition something that could glitch a specific mechanism and make it do actions it normally wouldn't do?

It's a grand name for providing invalid input to a program that doesn't check it's input very well. If you had the exact source code for a specific receiver then you could tune the attack to overflow the stack in such a specific way that a specific number of bytes managed to get copied, a wrong return address is taken... and also somehow overcomes the CPUs distaste for executing code from data spaces (or writing data to code spaces). If you can do all that in just a few bytes (trash the reciever too much and it will all crash horribly) , then you have a credible threat.

Quite a trick, and like I said, I've never heard of anyone doing it. A crash is easy - but a real attack has to perfectly tuned to a particular bit of receiving code. I don't know how a random attacker can have such precise knowledge of what software build a receiving PC is running.

[Sufan]

Thanks for the info.

A few final questions I have is, which is more secure Shared Folders or using FTP ?

Data confidentiality is of no concern and the host will only use client and guest will be server. Guest is considered compromised anyway so no need to worry about the holes a server would open. Taking into account protocol security as well.

What are the chances that an FTP client is exploited by a malicious server, is it as common as for browsers? What are the chances of this happening compared to shared folder flaw?

I know thats more than 1 question but if you could answer them all that would be great.

[mpack]

A few final questions I have is, which is more secure Shared Folders or using FTP ?

There's no difference. They are both software file transfer protocols with similar feature sets (obviously the details are very different), the only practical difference is how the information is presented (i.e. as a separate app or as a filesystem extension).