TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Google Project Zero

Thinking Outside The Box [dusted off draft from 2017]

Jann Horn · 2025-12-16 · Read original ↗

ATT&CK techniques detected

3 predictions
T1095Non-Application Layer Protocol
86%
"a leftover spooky action at * a distance from alias _ dns. c host resolver code and can be * g / c ' ed. * / if ( m - > m _ len! = rt _ n2h _ u16 ( ip - > ip _ len ) ) m - > m _ len = rt _ n2h _ u16 ( ip - > ip _ len ) ; one straightforward way to abuse this issue is to send a sm…"
T1497.003Time Based Checks
68%
"should be given to system ( ) in memory and determine at which address it was placed. to do this, assuming that the freelist grows downwards linearly, the attacker can first send an ip fragment containing the shell command ( causing the ip fragment to be stored ), then send a cra…"
T1611Escape to Host
46%
"and a bogus length that is bigger than a heap chunk, it is possible to move the packet payload of the following heap chunk over the corresponding heap chunk header. exploitation : going up to host userspace in this part of the post, i ’ m going to show how it ’ s possible to brea…"

Summary

Preface Hello from the future! This is a blogpost I originally drafted in early 2017. I wrote what I intended to be the first half of this post (about escaping from the VM to the VirtualBox host userspace process with CVE-2017-3558), but I never got around to writing the second half (going from the VirtualBox host userspace process to the host kernel), and eventually sorta forgot about this old post draft… But it seems a bit sad to just leave this old draft rotting around forever, so I decided to put it in our blogpost queue now, 8 years after I originally drafted it. I’ve very lightly edited it now (added some links, fixed some grammar), but it’s still almost as I drafted it back then. When you read this post, keep in mind that unless otherwise noted, it is describing the situation as of 2017. Though a lot of the described code seems to not have changed much since then…