Dailydave mailing list archives
Re: Minor Virtualization Vulnerability
From: Rich Mogull <rmogull-dd () securosis com>
Date: Fri, 16 Feb 2007 12:48:27 -0700
Yep- should have thought of that first. I have mine locked down, so forgot it's open on most systems. On Feb 16, 2007, at 12:21 PM, K F (lists) wrote:
Just drop an InputManager onto the file system. -KF Rich Mogull wrote:Last week I accidentally discovered a vulnerability in default installations of Parallels that allows manipulation of the host operating system when it's OS X, leading to code execution. Parallels just changed their default options in the latest release to reduce the chances of this attack, but it's still possible if the user deliberately enables drag and drop throughout the entire file system. Last Friday Brian Krebs emailed me when he noticed his entire host OS file system being shared with the guest OS (OS X host, Windows guest). According to the Parallels forums, this was a known issue. By default, Parallels Desktop for Mac enabled Drag and Drop for guest operating systems. This creates a file share called .psf, which allows complete access to the host with the user's current permissions level. But just dropping an application into /Applications doesn't allow execution- I didn't track down why, but I think only read and write were enabled. After poking around I figured out that code execution, of a sort, is possible through manipulation of launchd (the OS X cron and other job replacement). My first attempt was to create a launchd job and place it into SystemDaemons, but that failed. There's no way to sudo between the guest and host, so even if you're an admin user, you can't hit certain directories. But I was able to create a job (just a plist file, xml) and drop it into the active user's LaunchAgents directory. Log out, log back in, and the job executes. Launchd is very flexible, allowing execution based on time or user events, and can include arguments. At the end of this email is the text of the job I used, if you want to test this yourself. If just launches TextEdit.app at 6pm. I reported this to Parallels last Friday, had a call with senior management Tuesday, and they released a version with better drag and drop security today. Instead of being a default option, the first time a user attempts to drag and drop they're prompted to enable the feature, and given the option to only enable it for the desktop. While you can still enable it throughout the host file system, that's no longer the default, and there's now a more secure way to drag and drop. Because of the power of launchd, I suspect there are a variety of ways to use this to execute arbitrary malicious code, without needing full admin rights or having to sudo. Due to the naming convention of file shares between guest and host, it would be trivial to create a Windows binary that could detect it was running in a virtual machine with file sharing enabled, then move the files over to the host OS to execute the attack. I strongly suspect attacks like this are possible across multiple virtualization products that enable file sharing, especially full system volume sharing. -Rich Mogull _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- 0days are important Dave Aitel (Feb 14)
- Minor Virtualization Vulnerability Rich Mogull (Feb 16)
- Re: Minor Virtualization Vulnerability Rich Mogull (Feb 16)
- Message not available
- Re: Minor Virtualization Vulnerability Rich Mogull (Feb 17)
- Minor Virtualization Vulnerability Rich Mogull (Feb 16)