Oracle VM VirtualBox – VM Escape via VGA Device

Summary

Summary An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [source] function. This vulnerability allows an attacker to manipulate a malloc call such that 0 bytes are allocated while VirtualBox tracks the size of the buffer as a value greater than 0. An attacker can exploit this condition and achieve linear read/write primitives which can then be escalated to arbitrary read/write access within the host's memory. We provide a proof-of-concept that demonstrates how to exploit this vulnerability to fully escape a virtual machine. Severity High - Proof of Concept We were able to exploit the VMSVGAGBO defined inside a VMSVGAMOB object, which are defined below: typedef struct VMSVGAGBO { uint32_t fGboFlags; uint32_t cTotalPages; uint32_t cbTotal; uint32_t cDescriptors; PVMSVGAGBODESCRIPTOR paDescriptors; void *pvHost; /* Pointer to cbTotal bytes on the host if VMSVGAGBO_F_HOST_BACKED is set. */ } VMSVGAGBO, *PVMSVGAGBO; typedef struct VMSVGAMOB { AVLU32NODECORE Core; /* Key is the mobid. */ RTLISTNODE nodeLRU; VMSVGAGBO Gbo; } VMSVGAMOB, *PVMSVGAMOB; The algorithm is the following: Trigger the allocation of a buggy_surface (surface allocated with size 0) Allocate a GBO object with a value in cbTotal that could be used to finger print our object (a.k.a an “egg”). After trial an error the value 0x1421337 proved to be reliable enough (~100% success rate) Exploit the out of bounds read and check the bytes just after buggy_surface if we can find the egg within a short range (the first 0x5a bytes), assume that our target GBO object is allocated right after the surface. If not, go back to 1 This algorithm proved to be 100% reliable to get a heap grooming within the first <10 attempts. An arbitrary read can be achieved by corrupting cbTotal and pvHost using the linear write out of bounds with values of the attacker’s choice, then a guest can issue a vmsvga3dDXReadbackCOTable command, that will end up calling vmsvgaR3MobBackingStoreWriteToGu...