_outbyte(port 0, 0) // TargetDevice (0) _outbyte(port 3, 0) // initiate a write operation static const short port = 0x434 static const uint32_t buffer_size = 1024 // reset the state machine Here are the operations the SCSI device supports: // /src/VBox/Devices/Storage/DevBusLogic.cpp // if (fBootable) The only special thing about the VM is that the SCSI driver is loaded and marked bootable so that’s the place for us to start looking for vulnerabilities. Guest: Windows7_sp1_圆4 Virtual machine in VirtualBox_6.1.16_圆4.In order to ensure a clean environment, we use virtual machine nesting to build the environment. Hint: SCSI controller is enabled and marked as bootable. You have the full permissions of the guest operating system and can do anything in the guest, including loading drivers, etc.īut you can’t do anything in the host, including modifying the guest configuration file, etc. Please escape VirtualBox and spawn a calc(“C:\Windows\System32\calc.exe”) on the host operating system. The challenge description already hints at where a bug might be: Let’s get to some pwning :D Discovering the Vulnerability Many thanks to the organizers for hosting this great competition, especially to ChenNan for creating this challenge, M4x for always being helpful, answering our questions and sitting with us through the many demo attempts and of course all the people involved in writing the exploit. The vulnerability was known to the organizers, requires the guest to be able to insert kernel modules and isn’t exploitable on default configurations of VirtualBox so the impact is very limited. The vulnerabilities were discovered and exploited by our team Sauercl0ud as part of the RealWorld CTF 2020/2021. This post is about a VirtualBox escape for the latest currently available version (VirtualBox 6.1.16 on Windows).
0 Comments
Leave a Reply. |