CVE-2018-2698: Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities

Recently, SecuriTeam wrote a blog to descript a critical vulnerability that exists in Oracle VM VirtualBox. The detail is below:

Vulnerabilities summary
The following advisory describes two (2) guest to host escape found in Oracle VirtualBox version 5.1.30, and VirtualBox version 5.2-rc1.

CVE-ID
CVE: CVE-2018-2698

Vulnerabilities details
The vulnerabilities found in the core graphics framework (VBVA subcomponent) and affect all host operating systems.

provide an arbitrary read/write primitive in the userland VirtualBox host rocess, relative to the guest’s VRAM buffer.

The VGA device emulated by VirtualBox is associated with a certain amount of VRAM, which is mapped contiguously in both the host process running the VM and in guest kernel memory.

Parts of it are used as general-purpose shared memory segment for communication between the host and guest (host-guest shared memory interface, HGSMI).

Using this mechanism, the guest can issue certain commands to the host, for example to implement the mouse pointer integration and seamless windows features.

The guest can also tell the host to copy data around inside the VRAM on its behalf, via a subsystem called VDMA.

Source: blogs.securiteam.com