Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

VirtualBox is a virtualization software that is quite popular, as it is open source and free. Finding vulnerabilities in VirtualBox is a big deal because it allows for a guest to host escape.

The author claims that hunting for bugs in VirtualBox is a good idea because you learn a ton about operating systems, virtualization in general and all guest to host escapes are very high impact.

At the beginning of the article (in the Recon section) there are quite a few links to learning about VirtualBox and other bugs found in VirtualBox.

The author went hunting for bugs in the TCP/IP stack. This is because this code is very complex, as translation of requests has to be done on the fly from guest to host.

Via fuzzing, two vulnerabilities were found. One was an Out Of Bounds read via an unvalidated length (which ZDI reported as RCE for some reason) and a DoS via NULL pointer dereference.

From reading the source code, the author found another bug! With a bad ICMP packet, the data would have already been freed. This code goes into a default case of a switch statement, which falls into a Free happening. This default case should have a GOTO to DONE instead. But, why is this a big deal? A double free vulnerability!

In order to put this into a triggerable place, a race condition has to be won. Another thread has to allocate a buffer after it has been freed for the first time but PRIOR to it being freed a second time. Now, we have an exploitable double free vulnerability!

The race is hard to win though... in order to win the race, the author wrote a Kernel driver to trigger the bug but never wrote a full PoC, as winning the race comes down to a few microseconds.