Virtual Machine Escape Vulnerability advanced exploitation of VirtualBox 3D Acceleration

Virtual Machine Escape Vulnerability advanced exploitation of VirtualBox 3D Acceleration
PreviousBlogIn, we shared the use technology of a client-to-host (guest-to-host) vulnerability that affects Xen hypervisor. In this new blog, we will focus on another virtual machine Escape Vulnerability, VirtualBoxA few months ago, our core security friend published a question about multiple memory damage vulnerabilities that affect VirtualBox, users/programs in the client operating system may be allowed to escape the Virtual Machine and execute arbitrary code on the host operating system. A few weeks ago, during REcon June 14, 2014, Francisco Falcon proved that these vulnerabilities can be combined and used to implement client-to-host (guest-to-host) on a 32-bit windows host). In this blog, we will share a technology that uses only one Vulnerability (CVE-2014-0983) on a 64-bit windows 8 host to achieve a reliable Virtual Machine escape exploitation, the VirtualBox process has not crashed (also known as process continuation ).1: Technical Analysis of the VulnerabilityMultiple Memory Corruption Vulnerabilities exist in the VirtualBox 3D acceleration of OpenGL images. In this analysis, we will focus on CVE-2014-0983. From the perspective of the client operating system, the increase of the client will multiply the number of services, such as drag-and-drop, shared clipboard, and graphic rendering. One of these services is called shared OpenGL ". When 3D acceleration is enabled in VirtualBox (disabled by default), you can use the client/server model to remotely render OpenGL images. The client operating system sends a rendering message to the "VBoxGuest. sys" driver as a client. The driver then forwards the message to the host (as a server) that parses it through PMIO/MMIO ).