VirtualBox is arguably one of the best examples of a target that accommodates novice vulnerability researchers. Owing to its open source codebase, and the vast amount of related vulnerability research published, it is fairly easy to see why it has become a popular target in recent months. This may be especially attributed to its 3D Acceleration feature, which has become notorious for containing all manner of exploitable vulnerabilities, while also remaining exposed to unprivileged guest OS users if enabled.
Despite this, not much has been publicly released that provides an introduction to the 3D Acceleration attack surface, and describes how it can be fuzzed, completely separate from VirtualBox. Building upon this, the talk also aims to discuss some of the useful exploitation primitives that exist within 3D Acceleration and can be leveraged to escape a virtual machine without executing a single line of shellcode.
Jason has been working as an Information Security Consultant at MWR InfoSecurity for the past three years, primarily performing penetration testing, red teaming, and cloud research. Prior to MWR, Jason worked in web application and low level control system development for a year, after completing his post graduate studies in Computer and Electronic Engineering. He enjoys anything memory-corruption related, and has a keen interest in CTF challenges and flashy virtual machine breakouts. Late 2016, he wrote and released the first publicly available exploit for MS08-67 that targeted 64-bit systems - though he does not claim the exploit is reliable :P. Jason started exploring the 3D Acceleration attack surface about six months ago, motivated to discover and develop his first guest to host breakout.
