Oracle VM VirtualBox: Intra-Object Out-Of-Bounds Write in virtioNetR3CtrlVlan
Silly vulnerability where the assert statement was written backwards, so the function only “worked” if the uVlanId
value was out of bounds. Of course leading to out-of-bounds bit setting in the next bit of code.
AssertMsgReturn(uVlanId > VIRTIONET_MAX_VLAN_ID,
("%s VLAN ID out of range (VLAN ID=%u)\n", pThis->szInst, uVlanId), VIRTIONET_ERROR);
Its almost understandable how this happened as if you read this kinda like an if
statement, it actually would work: if(uVlandId > VIRTIONET_MAX_VLAN_ID)
then throw this error makes sense. However since it is an assertion you want to write the success case to assert is true so that when it fails you get the error. Ultimately it provides a fairly powerful primitive of relative bit-setting allow one to partially rewrite relative values.
This was used to modify the config so that the pci read commands would read from an arbitrary pointer to leak pointers for an ASLR break. The exploit then wrote a ROP chain and payload into memory, the ROP chain making the payload’s memory executable and then executing it.