[Dailydave] Minor Virtualization Vulnerability

Rich Mogull rmogull-dd at securosis.com
Fri Feb 16 14:48:27 EST 2007 

Yep- should have thought of that first. I have mine locked down, so  
forgot it's open on most systems.


On Feb 16, 2007, at 12:21 PM, K F (lists) wrote:

> Just drop an InputManager onto the file system.
> -KF
>
>
> Rich Mogull wrote:
>> Last week I accidentally discovered a vulnerability in default   
>> installations of Parallels that allows manipulation of the host   
>> operating system when it's OS X, leading to code execution.  
>> Parallels  just changed their default options in the latest  
>> release to reduce  the chances of this attack, but it's still  
>> possible if the user  deliberately enables drag and drop  
>> throughout the entire file system.
>>
>> Last Friday Brian Krebs emailed me when he noticed his entire host  
>> OS  file system being shared with the guest OS (OS X host,  
>> Windows  guest). According to the Parallels forums, this was a  
>> known issue. By  default, Parallels Desktop for Mac enabled Drag  
>> and Drop for guest  operating systems. This creates a file share  
>> called .psf, which  allows complete access to the host with the  
>> user's current  permissions level.
>>
>> But just dropping an application into /Applications doesn't allow   
>> execution- I didn't track down why, but I think only read and  
>> write  were enabled.
>>
>> After poking around I figured out that code execution, of a sort,  
>> is  possible through manipulation of launchd (the OS X cron and  
>> other job  replacement).
>>
>> My first attempt was to create a launchd job and place it into   
>> SystemDaemons, but that failed. There's no way to sudo between  
>> the  guest and host, so even if you're an admin user, you can't  
>> hit  certain directories.
>>
>> But I was able to create a job (just a plist file, xml) and drop  
>> it  into the active user's LaunchAgents directory. Log out, log  
>> back in,  and the job executes.
>>
>> Launchd is very flexible, allowing execution based on time or  
>> user  events, and can include arguments. At the end of this email  
>> is the  text of the job I used, if you want to test this yourself.  
>> If just  launches TextEdit.app at 6pm.
>>
>> I reported this to Parallels last Friday, had a call with senior   
>> management Tuesday, and they released a version with better drag  
>> and  drop security today. Instead of being a default option, the  
>> first  time a user attempts to drag and drop they're prompted to  
>> enable the  feature, and given the option to only enable it for  
>> the desktop.  While you can still enable it throughout the host  
>> file system, that's  no longer the default, and there's now a more  
>> secure way to drag and  drop.
>>
>> Because of the power of launchd, I suspect there are a variety of   
>> ways to use this to execute arbitrary malicious code, without  
>> needing  full admin rights or having to sudo.
>>
>> Due to the naming convention of file shares between guest and  
>> host,  it would be trivial to create a Windows binary that could  
>> detect it  was running in a virtual machine with file sharing  
>> enabled, then move  the files over to the host OS to execute the  
>> attack. I strongly  suspect attacks like this are possible across  
>> multiple virtualization  products that enable file sharing,  
>> especially full system volume  sharing.
>>
>> -Rich Mogull
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
>

More information about the Dailydave mailing list