Discovered attack is not about some serious hardcore stuff like hypervisor bugs or low-level vulnerabilities in guest-host communication interfaces, it can be easily performed even by very lame Windows malware if your virtual machine has insecure settings.
Parallels Desktop 10.1.1.28614 Software Has ThemIt always was obvious to me, that rich features for communicating with the guest operating systems (almost any modern desktop virtualisation software has them) might be dangerous.Its a nice product and I think that currently it has a much less attention of security researchers than it actually deserving.
There is Access Windows folder from Mac option that looks pretty innocent (please note, that all other sharing options are off). This option is enabled by default for all of the virtual machines as well, and here is the description of this option from Parallels Desktop 10 for Mac Users Guide. By default, you can navigate to all your Windows folders and files from Mac OS X. At the same time, Windows appears as a hard disk mounted on the Mac OS X desktop. By default, the PVM file is either in Users DocumentsParallels or UsersShared. You can also find the PVM file by right-clicking Windows in Parallels Desktop Control Center (or in the virtual machine window when Windows is shut down) and selecting Show in Finder. To access Windows files and folders, right-click the PVM file, select Show Package Contents from the context menu, and open the Windows Disks folder. To disable the ability to navigate to Windows files and folders, deselect Access Windows folders from Mac in step 3 above. Parallels Desktop 10.1.1.28614 Windows 8.1 X64 GuestGuest-side part of this option is implemented as PrlToolsShellExt.dll shell extension (MD5 sum of DLL with version 10.1.1.28614 on my Windows 8.1 x64 guest is 97D15FB584C589FA297434E08CD0252F ). Menu item click handler is located at function sub180005834() and after some pre-processing of input values it sends IOCTL request to the device Deviceprltg that aims to one of the Paralles kernel mode drivers ( prltg.sys ). Its also interesting and useful, that this action can be triggered from Windows user account with any privileges (including Guest). Unfortunately, we cant execute a shell script or AppleScript file in this way because such files will be opened in a text editor. But theres still a lot of other evil things that attacker can do with the ability of arbitrary file opening. For example, its possible to write a Java.class that executes specified command and saves its output to the guest file system (that usually mounted at Volumes ): public static void main(String args). Parallels Desktop 10.1.1.28614 Code Execution AtIts absolutely not obvious for user, that guest file system sharing can lead to arbitrary code execution at the host side. This issue is also relevant to other guest operating systems (like Linux and OS X), however, provided PoC was designed only for Windows.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |