Exploiting a hypervisor is already a challenge; chaining it with a Windows kernel LPE to achieve full host compromise makes it even harder. At Pwn2Own Vancouver 2024, we broke free from VirtualBox and escalated our privileges on the Windows host, turning a controlled guest VM into full administrator access on the host.
This session dives into VirtualBox's internals and architecture, offering a comprehensive overview that highlights critical vulnerabilities discovered. It will cover how we identified and exploited multiple vulnerabilities, bypassed mitigations, and executed arbitrary code on the host. This includes insights into research strategies, focus selection, tool usage, and lessons learned from mistakes.
We’ll conclude with an inside look at the Pwn2Own contest itself: our exploit setup, the hardware surprises, and how everything came together. If you’re into hypervisor exploitation, or just enjoy a good hacking war story, this talk is for you.
Corentin Bayet is the CTO of REverse Tactics and a seasoned security researcher with over 7 years of experience in vulnerability research and exploitation. His expertise lies in low-level technologies, including operating systems, kernels, and hypervisors. Corentin has publicly demonstrated multiple VM escapes at high-profile events like Pwn2Own. He has also delivered talks and papers on bug hunting in virtualization and exploitation on Windows kernel.
Bruno Pujos is the CEO and founder of REverse Tactics, bringing over 10 years of experience as a security researcher specializing in low-level systems and virtualization technologies. He has publicly demonstrated his expertise by achieving multiple VM escapes and privilege escalations on Windows at Pwn2Own.