Full Report
Preface Hello from the future! This is a blogpost I originally drafted in early 2017. I wrote what I intended to be the first half of this post (about escaping from the VM to the VirtualBox host userspace process with CVE-2017-3558), but I never got around to writing the second half (going from the VirtualBox host userspace process to the host kernel), and eventually sorta forgot about this old post draft… But it seems a bit sad to just leave this old draft rotting around forever, so I decided to put it in our blogpost queue now, 8 years after I originally drafted it. I’ve very lightly edited it now (added some links, fixed some grammar), but it’s still almost as I drafted it back then. When you read this post, keep in mind that unless otherwise noted, it is describing the situation as of 2017. Though a lot of the described code seems to not have changed much since then…
Analysis Summary
# Vulnerability: Out-of-Bounds Write in VirtualBox Slirp Packet Allocator Leading to Host User Mode Code Execution
## CVE Details
- CVE ID: CVE-2017-3558
- CVSS Score: N/A (Score not provided in the text, context suggests high severity leading to execution)
- CWE: CWE-787 (Out-of-bounds Write)
## Affected Systems
- Products: VirtualBox (specifically the Slirp implementation used for NAT networking)
- Versions: Versions accessible via standard download pages in 2017 (implied to be vulnerable if built using default configuration settings). The article suggests the issue might persist in later versions if the code is unchanged.
- Configurations: Default, non-strict release builds of VirtualBox running on the host (e.g., Linux hosts).
## Vulnerability Description
The vulnerability exists within VirtualBox's custom zone allocator (`zone_clust`) used for storing packet data, particularly incoming ethernet frames, within the Slirp NAT networking component. This allocator stores metadata inline before heap chunks, structured as `struct item`.
The core flaw is in the `uma_zfree_arg()` function. In release builds, the assertion check ensuring the zone pointer (`it->zone`) is valid is compiled out (`Assert()` defined to do nothing). When freeing a chunk via `slirp_uma_free()`, this unchecked `it->zone` pointer is dereferenced to call `zone->pfFree()`. An attacker who can forge the metadata header of a heap chunk can overwrite the `zone` pointer with an arbitrary address.
Subsequently, when `slirp_uma_free()` executes, it uses this controlled pointer to call `zone->pfFini` or `zone->pfDtor`, leading to arbitrary code execution within the VirtualBox host userspace process, as these function pointers can be overwritten.
The article details a multi-step exploitation technique focusing on an Out-of-Bounds (OOB) write primitive achieved by manipulating packet data lengths during fragment reassembly, allowing an attacker to write 14 bytes at a time. This primitive is chained to overwrite the Global Offset Table (GOT) of the process, locate the address of a useful function (e.g., `system()`), and execute arbitrary commands by leveraging a second controlled data write (OOB write) onto the GOT.
## Exploitation
- Status: **PoC available** (The article describes the steps taken to achieve exploitation, implying a successful proof-of-concept existed in 2017).
- Complexity: **Medium/High** (Requires precise heap manipulation via crafting specific network packets, manipulating buffer lengths, and controlling memory layout like the GOT).
- Attack Vector: **Adjacent** (Requires network connection into the VM and sending specially crafted packets that are processed by the vulnerable Slirp component).
## Impact
- Confidentiality: **High** (If system() is successfully invoked, arbitrary information disclosure is possible).
- Integrity: **High** (The attacker can achieve arbitrary code execution in the VirtualBox host userspace process).
- Availability: **High** (Code execution could lead to process termination or denial of service).
## Remediation
### Patches
- The article implies this vulnerability stems from issues addressed in 2017. Specific patch details or versions are not provided but are associated with CVE-2017-3558. Users should apply the official Oracle VirtualBox security updates released around 2017 that correspond to this CVE.
### Workarounds
- Directly disabling NAT networking mode for virtual machines might serve as a temporary mitigation if the vulnerability relies exclusively on the Slirp implementation for NAT.
## Detection
- **Indicators of Compromise (IoCs):** Unusual or unexpected memory corruption or API calls within the VirtualBox host process memory space, particularly within regions allocated for network packet handling. The exploitation steps involve specific GOT overwrites.
- **Detection Methods and Tools:** Monitoring memory access patterns in the VirtualBox host process, especially during network frame processing if instrumentation tools are available. Reviewing forensic artifacts for process memory regions overwritten with known GOT entries or function pointers if the attack succeeded.
## References
- Vendor Advisories: Related to CVE-2017-3558 disclosures by Oracle/VirtualBox.
- Relevant Links:
- https://bugs.chromium.org/p/project-zero/issues/detail?id=1086 (Link to the underlying issue report)
- https://projectzero.google/2025/12/thinking-outside-the-box.html (The full article source)