Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Published: 2014-03-31
Updated: 2018-10-09
Summary
Multiple array index errors in programs that are automatically generated by VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py in Oracle VirtualBox 4.2.x through 4.2.20 and 4.3.x before 4.3.8, when using 3D Acceleration, allow local guest OS users to execute arbitrary code on the Chromium server via certain CR_MESSAGE_OPCODES messages with a crafted index, which are not properly handled by the (1) CR_VERTEXATTRIB4NUBARB_OPCODE to the crServerDispatchVertexAttrib4NubARB function, (2) CR_VERTEXATTRIB1DARB_OPCODE to the crServerDispatchVertexAttrib1dARB function, (3) CR_VERTEXATTRIB1FARB_OPCODE to the crServerDispatchVertexAttrib1fARB function, (4) CR_VERTEXATTRIB1SARB_OPCODE to the crServerDispatchVertexAttrib1sARB function, (5) CR_VERTEXATTRIB2DARB_OPCODE to the crServerDispatchVertexAttrib2dARB function, (6) CR_VERTEXATTRIB2FARB_OPCODE to the crServerDispatchVertexAttrib2fARB function, (7) CR_VERTEXATTRIB2SARB_OPCODE to the crServerDispatchVertexAttrib2sARB function, (8) CR_VERTEXATTRIB3DARB_OPCODE to the crServerDispatchVertexAttrib3dARB function, (9) CR_VERTEXATTRIB3FARB_OPCODE to the crServerDispatchVertexAttrib3fARB function, (10) CR_VERTEXATTRIB3SARB_OPCODE to the crServerDispatchVertexAttrib3sARB function, (11) CR_VERTEXATTRIB4DARB_OPCODE to the crServerDispatchVertexAttrib4dARB function, (12) CR_VERTEXATTRIB4FARB_OPCODE to the crServerDispatchVertexAttrib4fARB function, and (13) CR_VERTEXATTRIB4SARB_OPCODE to the crServerDispatchVertexAttrib4sARB function.
Vulnerable Configurations
| Part | Description | Count |
| Application | Oracle | 15 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Oracle VirtualBox 3D Acceleration - Multiple Vulnerabilities. CVE-2014-0981,CVE-2014-0982,CVE-2014-0983. Dos exploits for multiple platform |
| file | exploits/multiple/dos/32208.txt |
| id | EDB-ID:32208 |
| last seen | 2016-02-03 |
| modified | 2014-03-12 |
| platform | multiple |
| port | |
| published | 2014-03-12 |
| reporter | Core Security |
| source | https://www.exploit-db.com/download/32208/ |
| title | Oracle VirtualBox 3D Acceleration - Multiple Vulnerabilities |
| type | dos |
| description | VirtualBox 3D Acceleration Virtual Machine Escape. CVE-2014-0983,CVE-2015-4523. Remote exploit for win64 platform |
| id | EDB-ID:34334 |
| last seen | 2016-02-03 |
| modified | 2014-08-14 |
| published | 2014-08-14 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/34334/ |
| title | VirtualBox 3D Acceleration Virtual Machine Escape |
Metasploit
| description | This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. |
| id | MSF:EXPLOIT/WINDOWS/LOCAL/VIRTUAL_BOX_OPENGL_ESCAPE |
| last seen | 2020-05-20 |
| modified | 2017-09-14 |
| published | 2014-08-09 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/virtual_box_opengl_escape.rb |
| title | VirtualBox 3D Acceleration Virtual Machine Escape |
Nessus
| NASL family | Windows |
| NASL id | VIRTUALBOX_4_3_8.NASL |
| description | The remote host contains a version of Oracle VM VirtualBox that is 3.2.x prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24 or 4.3.8. It is, therefore, potentially affected by the following vulnerabilities : - An input validation error exists in the function |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 72985 |
| published | 2014-04-16 |
| reporter | This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/72985 |
| title | Oracle VM VirtualBox < 3.2.22 / 4.0.24 / 4.1.32 / 4.2.24 / 4.3.8 Multiple Memory Corruption |
| NASL family | Debian Local Security Checks |
| NASL id | DEBIAN_DSA-2904.NASL |
| description | Francisco Falcon discovered that missing input sanitizing in the 3D acceleration code in VirtualBox could lead to the execution of arbitrary code on the host system. |
| last seen | 2020-03-17 |
| modified | 2014-04-16 |
| plugin id | 73534 |
| published | 2014-04-16 |
| reporter | This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/73534 |
| title | Debian DSA-2904-1 : virtualbox - security update |
| NASL family | Gentoo Local Security Checks |
| NASL id | GENTOO_GLSA-201612-27.NASL |
| description | The remote host is affected by the vulnerability described in GLSA-201612-27 (VirtualBox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. Impact : Local attackers could cause a Denial of Service condition, execute arbitrary code, or escalate their privileges. Workaround : There is no known workaround at this time. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 95695 |
| published | 2016-12-12 |
| reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/95695 |
| title | GLSA-201612-27 : VirtualBox: Multiple vulnerabilities (Venom) |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:85507 |
| last seen | 2017-11-19 |
| modified | 2014-07-01 |
| published | 2014-07-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-85507 |
| title | Oracle VirtualBox 3D Acceleration - Multiple Vulnerabilities |