Discussion:
[vbox-dev] Guest Additions are being downloaded over insecure HTTP
George Kadianakis
2014-08-10 14:58:46 UTC
Permalink
Hello there!

It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.

It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.

{{{ UIDownloaderAdditions::UIDownloaderAdditions():
/* Prepare source/target: */
const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
}}}

Thank you!
quickbooks office
2014-08-11 08:40:40 UTC
Permalink
Isn't the guest additions ISO file included in the Installer package?
Post by George Kadianakis
Hello there!
It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.
It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.
/* Prepare source/target: */
const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
}}}
Thank you!
_______________________________________________
vbox-dev mailing list
vbox-dev at virtualbox.org
https://www.virtualbox.org/mailman/listinfo/vbox-dev
Klaus Espenlaub
2014-08-11 10:06:56 UTC
Permalink
George,

can you make a clear statement what package you're using? None of the
packages from virtualbox.org should ever execute this code path.

As mentioned before, it is included in the host package and thus the
download will not be attempted. The download feature has been
implemented ages ago to simplify 3rd party packaging of the "OSE" variant.

We are already strongly pushing for HTTPS support on
download.virtualbox.org, but it's operated by a different team and
handles many more products/projects. All equipment the VirtualBox team
is operating can't handle multi-Terabyte/day volume. So yes, SSL would
be better but unfortunately isn't easily available.

Klaus
Post by quickbooks office
Isn't the guest additions ISO file included in the Installer package?
Post by George Kadianakis
Hello there!
It seems that VirtualBox downloads the guest additions ISO over
HTTP. This is not a good idea, since code is being executed from that
ISO, and if it's downloaded over HTTP any network attacker can MITM
and replace with her own ISO.
It would be better, I think, if the download happened over SSL (using
HTTPS). Maybe in the future you could also use digital signatures to
protect the download.
/* Prepare source/target: */
const QString &strName = QString("VBoxGuestAdditions_%1.iso").arg(vboxGlobal().vboxVersionStringNormalized());
const QString &strSource = QString("http://download.virtualbox.org/virtualbox/%1/").arg(vboxGlobal().vboxVersionStringNormalized()) + strName;
const QString &strTarget = QDir(vboxGlobal().virtualBox().GetHomeFolder()).absoluteFilePath(strName);
}}}
Thank you!
Loading...