cbcvebase.
CVE-2008-3431
published 2008-08-05

CVE-2008-3431: The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not…

PriorityP184high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
6.93%
93.3th percentile
The VBoxDrvNtDeviceControl function in VBoxDrv.sys in Sun xVM VirtualBox before 1.6.4 uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to gain privileges by opening the \\.\VBoxDrv device and calling DeviceIoControl to send a crafted kernel address.

Affected

1 ranges
VendorProductVersion rangeFixed in
oraclevirtualbox< 1.6.41.6.4

Detection & IOCsextracted from sources · hover to see the quote

hash3ef071e0327e7014dd374d96bed023e6c434df6f98cce88a1e7335a667f6749d
path\\.\VBoxDrv
commandDeviceIoControl(hDevice, 0x228103, (LPVOID)0x80808080, 0, (LPVOID)0x80808080, 0x0, &cb, NULL)
filenameVBoxDrv.sys
  • Detect loading of VBoxDrv.sys versions <= 3.0.0 on systems where VirtualBox is not legitimately installed; presence of this driver is a strong indicator of exploit staging for DSE bypass.
  • Hunt for SSP DLLs added to the Windows system directory and registered in the LSA Security Packages registry value — AcidBox loaders persist as SSPs loaded into lsass.exe.
  • AcidBox main worker module stores encrypted payload in the Windows registry; hunt for large, high-entropy binary registry values written by lsass.exe or unusual SSP DLLs.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.