Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan

We discussed this vulnerability during Episode 246 on 26 February 2024

Silly vulnerability where the assert statement was written backwards, so the function only “worked” if the uVlanId value was out of bounds. Of course leading to out-of-bounds bit setting in the next bit of code.

 AssertMsgReturn(uVlanId > VIRTIONET_MAX_VLAN_ID,
        ("%s VLAN ID out of range (VLAN ID=%u)\n", pThis->szInst, uVlanId), VIRTIONET_ERROR);

Its almost understandable how this happened as if you read this kinda like an if statement, it actually would work: if(uVlandId > VIRTIONET_MAX_VLAN_ID) then throw this error makes sense. However since it is an assertion you want to write the success case to assert is true so that when it fails you get the error. Ultimately it provides a fairly powerful primitive of relative bit-setting allow one to partially rewrite relative values.

This was used to modify the config so that the pci read commands would read from an arbitrary pointer to leak pointers for an ASLR break. The exploit then wrote a ROP chain and payload into memory, the ROP chain making the payload’s memory executable and then executing it.