Out of the (v)Box presented at ekopartySecurityConference 2018

by Josué Rojas,

Summary : The highly used virtualization software such as Oracle VirtualBox, allows the isolated execution of different “guest" operating systems on a "host" operating system. When the “guest” operating system requires hardware resources, VirtualBox provides communication channels to the host to meet requests as required. It’s extremely interesting to be able to analyze the different communications protocols and the access control to these channels. This talks presents my experience in the development of a VM escape in VirtualBox, analyzing reported vulnerabilities in 3D acceleration components. The reverse engineering process of these components will be technically detailed, how the hypervisor processes rendering commands, the exploitation of vulnerabilities achieving a memory leak, and a write-what-where to corrupt a buffer object to then obtain a stable platform for arbitrary reading and writing that finally ends up in a code execution on the host. A technical demo of the exploit of the VM escape will be shown.