From OSS-SEC: http://www.virtualbox.org/wiki/Changelog: VirtualBox 2.0.6 - Linux/Solaris/Darwin hosts: verify permissions in /tmp/vbox-$USER-ipc These changes match that description: http://www.virtualbox.org/changeset?new=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%4013810&old=trunk%2Fsrc%2Flibs%2Fxpcom18a4%2Fipc%2Fipcd%2Fdaemon%2Fsrc%2FipcdUnix.cpp%407049 VirtualBox uses /tmp/vbox-$USER-ipc to store a socket and a lock file. The lock file is truncated after a simple open call. AFAICS creating /tmp/vbox-$USER-ipc before the victim starts VirtualBox could therefore be exploited to create files as the victim or truncate files of the victim.
*** This bug has been marked as a duplicate of bug 245958 ***