CVE-2024-21115: An Oracle VirtualBox LPE Used to Win Pwn2Own

Cody Gallagher, a Pwn2Own winner, has detailed CVE-2024-21115, an Out-of-Bounds (OOB) Write in Oracle VirtualBox that can be exploited for privilege escalation. The bug occurs in the VGA device and can be triggered with a single core and 32MB of VRAM. Gallagher used a race condition in VMMDev to change the hEvent value from 0x23 to 0x21, disabling the critical section. He then exploited a race condition in VGA threads to corrupt a value in VGAState, giving him a read and write primitive. Gallagher used this to leak a pointer to a function in another library, and then scanned for the export table of kernel32.dll to find the address of WinExec. Finally, he called WinExec("calc") to open the calculator application, demonstrating the exploit's potential for code execution.