3D Accelerated Exploitation
By Jason Matthyser on 22 February, 2019
VirtualBox is arguably one of the best examples of a target that accommodates novice vulnerability researchers.
Owing to its open source codebase, and the vast amount of related vulnerability research published, it is fairly easy to see why it has become a popular target in recent months. This may be especially attributed to its 3D Acceleration feature, which has become notorious for containing all manner of exploitable vulnerabilities, while also remaining exposed to unprivileged guest OS users if enabled.
Despite this, not much has been publicly released that provides an introduction to the 3D Acceleration attack surface, and describes how it can be fuzzed, completely separate from VirtualBox. Building upon this, this talk aimed to discuss some of the useful exploitation primitives that exist within 3D Acceleration and can be leveraged to escape a virtual machine without executing a single line of shellcode.
The tooling and exploit covered in this talk can be found on Github.