VirtualBox虚拟机逃逸漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
本漏洞存在于VirtualBox的3D加速功能中，具体位置在`src\/VBox\/HostServices\/SharedOpenGL\/unpacker\/unpack_shaders.c<\/code>文件的crUnpackExtendShaderSource<\/code>函数中。该漏洞允许攻击者从虚拟机内部突破到宿主机，实现虚拟机逃逸。<\/p>`

漏洞背景<\/h2>

发现时间：2018年10月<\/li>
影响版本：VirtualBox v5.2.22及之前版本<\/li>
相关CVE：CVE-2019-2446（信息泄露漏洞）<\/li>
<\/ul>
漏洞代码分析<\/h2>
关键函数：crUnpackExtendShaderSource<\/h3>
void<\/span> crUnpackExtendShaderSource<\/span>(void<\/span>) {
<\/span><\/span>    GLint *<\/span>length =<\/span> NULL;
<\/span><\/span>    GLuint shader =<\/span> READ_DATA(8<\/span>, GLuint);
<\/span><\/span>    GLsizei count =<\/span> READ_DATA(12<\/span>, GLsizei);
<\/span><\/span>    GLint hasNonLocalLen =<\/span> READ_DATA(16<\/span>, GLsizei);
<\/span><\/span>    GLint *<\/span>pLocalLength =<\/span> DATA_POINTER(20<\/span>, GLint);
<\/span><\/span>    char<\/span> **<\/span>ppStrings =<\/span> NULL;
<\/span><\/span>    GLsizei i, j, jUpTo;
<\/span><\/span>    int<\/span> pos, pos_check;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (count >=<\/span> UINT32_MAX \/<\/span> sizeof<\/span>(char<\/span> *<\/span>) \/<\/span> 4<\/span>) {
<\/span><\/span>        crError("crUnpackExtendShaderSource: count %u is out of range"<\/span>, count);
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    pos =<\/span> 20<\/span> +<\/span> count *<\/span> sizeof<\/span>(*<\/span>pLocalLength);
<\/span><\/span>    if<\/span> (hasNonLocalLen ><\/span> 0<\/span>) {
<\/span><\/span>        length =<\/span> DATA_POINTER(pos, GLint);
<\/span><\/span>        pos +=<\/span> count *<\/span> sizeof<\/span>(*<\/span>length);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    pos_check =<\/span> pos;
<\/span><\/span>    if<\/span> (!<\/span>DATA_POINTER_CHECK(pos_check)) {
<\/span><\/span>        crError("crUnpackExtendShaderSource: pos %d is out of range"<\/span>, pos_check);
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> count; ++<\/span>i) {
<\/span><\/span>        if<\/span> (pLocalLength[i] <=<\/span> 0<\/span> ||<\/span> pos_check >=<\/span> INT32_MAX -<\/span> pLocalLength[i] ||<\/span> !<\/span>DATA_POINTER_CHECK(pos_check)) {
<\/span><\/span>            crError("crUnpackExtendShaderSource: pos %d is out of range"<\/span>, pos_check);
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>        pos_check +=<\/span> pLocalLength[i];
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    ppStrings =<\/span> crAlloc(count *<\/span> sizeof<\/span>(char<\/span>*<\/span>));
<\/span><\/span>    if<\/span> (!<\/span>ppStrings) return<\/span>;
<\/span><\/span>    
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> count; ++<\/span>i) {
<\/span><\/span>        ppStrings[i] =<\/span> DATA_POINTER(pos, char<\/span>);
<\/span><\/span>        pos +=<\/span> pLocalLength[i];
<\/span><\/span>        if<\/span> (!<\/span>length) {
<\/span><\/span>            pLocalLength[i] -=<\/span> 1<\/span>;
<\/span><\/span>        }
<\/span><\/span>        Assert(pLocalLength[i] ><\/span> 0<\/span>);
<\/span><\/span>        
<\/span><\/span>        jUpTo =<\/span> i ==<\/span> count -<\/span>1<\/span> ?<\/span> pLocalLength[i] -<\/span> 1<\/span> :<\/span> pLocalLength[i];
<\/span><\/span>        for<\/span> (j =<\/span> 0<\/span>; j <<\/span> jUpTo; ++<\/span>j) {
<\/span><\/span>            char<\/span> *<\/span>pString =<\/span> ppStrings[i];
<\/span><\/span>            if<\/span> (pString[j] ==<\/span> '\0'<\/span>) {
<\/span><\/span>                Assert(j ==<\/span> jUpTo -<\/span> 1<\/span>);
<\/span><\/span>                pString[j] =<\/span> '\n'<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    cr_unpackDispatch.ShaderSource(shader, count, ppStrings, length ?<\/span> length : pLocalLength);
<\/span><\/span>    cr_unpackDispatch.ShaderSource(shader, 1<\/span>, (const<\/span> char<\/span>**<\/span>)ppStrings, 0<\/span>);
<\/span><\/span>    crFree(ppStrings);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点分析<\/h3>


边界检查缺陷<\/strong>：<\/p>

在第一个循环中，pos_check<\/code>增加了一个数组的长度<\/li>
验证只在下次迭代中进行，最后一个元素的长度从未被验证<\/li>
导致最后一个元素的长度可以任意大<\/li>
<\/ul>
<\/li>

堆溢出机会<\/strong>：<\/p>

嵌套循环将每个\0<\/code>字节转换为\n<\/code>字节<\/li>
对于任意长度，循环可以越界，导致堆溢出<\/li>
<\/ul>
<\/li>
<\/ol>
利用技术<\/h2>
关键数据结构<\/h3>


CRVBOXSVCBUFFER_t<\/strong>：<\/p>
typedef<\/span> struct<\/span> _CRVBOXSVCBUFFER_t {
<\/span><\/span>    uint32_t<\/span> uiId;
<\/span><\/span>    uint32_t<\/span> uiSize;
<\/span><\/span>    void<\/span>*<\/span> pData;
<\/span><\/span>    _CRVBOXSVCBUFFER_t *<\/span>pNext, *<\/span>pPrev;
<\/span><\/span>} CRVBOXSVCBUFFER_t;
<\/span><\/span><\/code><\/pre><\/li>

CRConnection对象<\/strong>：<\/p>

包含各种函数指针和指向缓冲区的指针<\/li>
破坏此对象可获得任意读写和代码执行能力<\/li>
<\/ul>
<\/li>
<\/ol>
利用步骤<\/h3>


堆信息泄露<\/strong>：<\/p>

利用未初始化内存漏洞泄漏CRConnection<\/code>对象指针<\/li>
即使打了CVE-2018-3055补丁，仍可利用此方法<\/li>
<\/ul>
<\/li>

堆喷射<\/strong>：<\/p>

使用alloc_buf()<\/code>喷射大量CRVBOXSVCBUFFER_t<\/code>对象<\/li>
典型参数：spray_len = 0x30<\/code>，spray_num = 0x2000<\/code><\/li>
<\/ul>
<\/li>

第一次溢出<\/strong>：<\/p>

构造恶意消息触发漏洞<\/li>
覆盖相邻CRVBOXSVCBUFFER_t<\/code>的ID和大小字段<\/li>
计算：消息长度0x30，pString偏移0x28，glibc块头0x10，最终需要0x22字节<\/li>
<\/ul>
<\/li>

寻找损坏的缓冲区<\/strong>：<\/p>

遍历ID列表找出被损坏的ID<\/li>
将\0<\/code>替换为\n<\/code>以匹配损坏的ID<\/li>
<\/ul>
<\/li>

第二次溢出<\/strong>：<\/p>

使用损坏的缓冲区覆盖第二个CRVBOXSVCBUFFER_t<\/code><\/li>
构造伪对象指向CRConnection<\/code>对象<\/li>
<\/ul>
<\/li>

建立任意读原语<\/strong>：<\/p>

通过覆盖CRConnection<\/code>的pHostBuffer<\/code>和大小字段<\/li>
使用SHCRGL_GUEST_FN_READ<\/code>命令触发任意读取<\/li>
<\/ul>
<\/li>

实现任意代码执行<\/strong>：<\/p>

覆盖CRConnection<\/code>的函数指针（如Free()<\/code>）<\/li>
将system()<\/code>地址写入函数指针位置<\/li>
触发函数调用执行任意命令<\/li>
<\/ul>
<\/li>
<\/ol>
地址计算<\/h3>

从泄漏的crVBoxHGCMFree<\/code>地址开始：
self.<\/span>crVBoxHGCMFree =<\/span> self.<\/span>read64(self.<\/span>pConn +<\/span> OFFSET_CONN_FREE)
<\/span><\/span>self.<\/span>VBoxOGLhostcrutil =<\/span> self.<\/span>crVBoxHGCMFree -<\/span> 0x20650<\/span>
<\/span><\/span>self.<\/span>memset =<\/span> self.<\/span>read64(self.<\/span>VBoxOGLhostcrutil +<\/span> 0x22e070<\/span>)
<\/span><\/span>self.<\/span>libc =<\/span> self.<\/span>memset -<\/span> 0x18ef50<\/span>
<\/span><\/span>self.<\/span>system =<\/span> self.<\/span>libc +<\/span> 0x4f440<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
实际利用示例<\/h2>
获取flag<\/h3>
由于路径长度限制，使用分段命令：<\/p>
p.<\/span>rip(p.<\/span>system, "mv Desktop a<\/span>\0<\/span>"<\/span>)
<\/span><\/span>p.<\/span>rip(p.<\/span>system, "mv a\/flag.txt b<\/span>\0<\/span>"<\/span>)
<\/span><\/span>p.<\/span>rip(p.<\/span>system, "mousepad b<\/span>\0<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

修复边界检查缺陷，确保所有元素的长度都被验证<\/li>
初始化所有堆分配的内存，防止信息泄露<\/li>
更新到最新版本的VirtualBox<\/li>
禁用不必要的3D加速功能<\/li>
<\/ol>
总结<\/h2>
该漏洞利用展示了如何通过精心构造的堆操作和边界条件缺陷，实现从虚拟机到宿主机的逃逸。关键在于：<\/p>

利用未初始化内存泄露关键地址<\/li>
通过堆喷射控制内存布局<\/li>
利用边界检查缺陷实现堆溢出<\/li>
通过覆盖关键数据结构获得任意代码执行能力<\/li>
<\/ol>
理解此类漏洞有助于提高虚拟化环境的安全性设计和防御能力。<\/p>