Breaking Out of VirtualBox through 3D Acceleration

Oracle VirtualBox is a popular virtualization software which provides -among many other features- 3D Acceleration for guest machines through its Guest Additions. This feature allows guest machines to use the host machine's GPU to render 3D graphics based on then OpenGL or Direct3D APIs. Being a complex piece of software, the 3D Acceleration code -which runs in the context of the VirtualBox hypervisor- opens the door to security problems.

During this presentation we will show how a program running inside a VirtualBox guest can exploit memory corruption vulnerabilities located in the code that implements 3D Acceleration for OpenGL in order to break out of the VM and execute arbitrary code on the host OS.

We will start the presentation by taking a look at the Guest/Host communication mechanism, and discussing how VirtualBox implements hardware-based 3D acceleration for OpenGL graphics. Then we'll be ready to uncover three memory corruption vulnerabilities (CVE-2014-0981, CVE-2014-0982 and CVE-2014-0983, all of them discovered during this research) which can be triggered from within the guest OS in order to corrupt the memory of the VirtualBox hypervisor process running on the host OS; finally we will focus on the exploitation phase, discussing how to leverage these vulnerabilities to create an information leak that will allow the guest to read arbitrary memory from the hypervisor (thus allowing to bypass ASLR), and how to hijack the execution flow, ultimately leading us to escape from the virtual machine and gain arbitrary code execution on the host machine.

The talk will finish with a live demo of the Guest-to-Host escape, in which a program running inside a virtual machine will break out of the VM, bypassing protections like ASLR and DEP on the host OS.