Journey To Freedom: escaping from virtualbox

By Corentin BAYET

Description

Exploiting a hypervisor is already a challenge; chaining it with a Windows kernel LPE to achieve full host compromise makes it even harder. At Pwn2Own Vancouver 2024, we broke free from VirtualBox and escalated our privileges on the Windows host, turning a controlled guest VM into full administrator access on the host.

This session dives into VirtualBox’s internals and architecture, offering a comprehensive overview that highlights critical vulnerabilities discovered. It will cover how we identified and exploited multiple vulnerabilities, bypassed mitigations, and executed arbitrary code on the host. This includes insights into research strategies, focus selection, tool usage, and lessons learned from mistakes.

We’ll conclude with an inside look at the Pwn2Own contest itself: our exploit setup, the hardware surprises, and how everything came together. If you’re into hypervisor exploitation, or just enjoy a good hacking war story, this talk is for you.