Techly NewsGet the app

Get the latest tech news

Oracle VM VirtualBox – VM Escape via VGA Device


### Summary An integer overflow vulnerability exists within the VirtualBox vmsvga3dSurfaceMipBufferSize [[source](https://github.com/mirror/vbox/blob/74117a1cb257c00e2a92cf522e8e930bd1c4d64b/src/V...

Similarly, an arbitrary write can be achieved with a GrowCOTable command, which upon calling vmsvgaR3MobBackingStoreCreate will eventually result in the device reading cbTotal bytes from guest memory into pvHost. Breaking ASLR and Gaining RIP Control Another huge benefit of the VMSVGAMOB object is that the field nodeLRU contains a pointer to the VMSVGAR3STATE structure of the device. Jump into the shellcode Corrupt the value of pfnCommandClear with the first ROP chain gadget pivoting the stack Issue a vmsvga3dCommandClear command Initiate RCE

Get the Android app

Or read this on Hacker News

Read more on:

Photo of oracle vm virtualbox

oracle vm virtualbox

Photo of vga device

vga device

« Transformer neural net learns to run Conway's Game of Life just from examples
Activision halts development of Call of Duty: Warzone Mobile after just one year »