Oracle VM VirtualBox Integer Overflow Vulnerability in Core Component Allowing VM Escape

An integer overflow vulnerability has been identified in Oracle VM VirtualBox version 7.1.6, within the core component. This vulnerability allows a high-privileged attacker with access to the VirtualBox environment to manipulate memory allocation, leading to unauthorized access and modification of data. The exploitation of this vulnerability can cause a partial denial-of-service in VirtualBox and, notably, allows for a complete escape from the virtual machine to the host.

Impact

Exploitation of this vulnerability could result in unauthorized access to critical data, modification of all data accessible to the user within VirtualBox, and a partial denial-of-service on the application.

Reproduction

The vulnerability can be reproduced by triggering the allocation of a surface with a size of zero, followed by the allocation of a Graphics Buffer Object (GBO) with a controlled size. This process can be automated to achieve a reliable heap grooming effect, allowing the attacker to read from the zero-sized buffer into a properly allocated one. Once the out-of-bounds read is established, the attacker can exploit this to gain arbitrary read/write access to the host's memory, ultimately leading to a virtual machine escape.