Graphics virtualization has long been one of the most fragile hypervisor attack surfaces. A representative example is VMware SVGA. It’s not only used in VMware but also supported by VirtualBox and QEMU. The combination of a complex, stateful interface and memory-unsafe code paths makes it prone to bugs, and the primitives exposed by the graphics stack often make it easy to develop practical VM-escape exploits.
Since version 6.1.0, VirtualBox’s default graphics adapters have been switched to VMSVGA and VBoxSVGA. They inherit VMware SVGA’s design, and also its safety pitfalls. VirtualBox’s 3D acceleration stack contains several use-after-free issues in the MOB lifecycle because objects are shared across different DX components, dozens of out-of-bounds accesses in surface operations due to incorrect preconditions, and other bugs caused by inconsistencies between layers. Put simply, VirtualBox’s modern 3D stack is still one bug away from breaking isolation.
In this talk, we’ll break down VirtualBox 3D acceleration, map how objects and state are synchronized across layers, and identify recurring vulnerability patterns that explain what went wrong and why. On top of that, we’ll also introduce a new VirtualBox exploitation primitive that helps spray the Low-Fragmentation Heap thanks to its variable size. Finally, we’ll demonstrate how a single bug can be developed into a stable VM-escape exploit on both Windows and Linux with our new primitive!
"Ting-Yu “NiNi” Chen is a senior security researcher at DEVCORE and a member of the Balsn CTF team. He won the “Master of Pwn” title at Pwn2Own Toronto 2022 with DEVCORE, and has placed 2nd and 3rd in DEF CON CTF as a member of Balsn and TWN48.
His work focuses on 0-day vulnerability research. He has reported security issues to vendors, including ClickHouse, MikroTik, Samsung, VirtualBox, and Microsoft Windows. He has spoken at CCC, DEF CON, Hardwear.io, Hexacon, HITCON, and RomHack.
Find him on X: @terrynini38514, and at his blog: http://blog.terrynini.tw/
Wei-Che Kao, also known as Xiaobye (@xiaobye_tw), is a security researcher at DEVCORE, focusing primarily on wireless and virtualization security. His previous researches has been presented at USENIX Security, Hexacon and Hardwear.io.
