Minor Virtualization Vulnerability

[Rich Mogull <rmogull-dd () securosis com>]

Last week I accidentally discovered a vulnerability in default  
installations of Parallels that allows manipulation of the host  
operating system when it's OS X, leading to code execution. Parallels  
just changed their default options in the latest release to reduce  
the chances of this attack, but it's still possible if the user  
deliberately enables drag and drop throughout the entire file system.

Last Friday Brian Krebs emailed me when he noticed his entire host OS  
file system being shared with the guest OS (OS X host, Windows  
guest). According to the Parallels forums, this was a known issue. By  
default, Parallels Desktop for Mac enabled Drag and Drop for guest  
operating systems. This creates a file share called .psf, which  
allows complete access to the host with the user's current  
permissions level.

But just dropping an application into /Applications doesn't allow  
execution- I didn't track down why, but I think only read and write  
were enabled.

After poking around I figured out that code execution, of a sort, is  
possible through manipulation of launchd (the OS X cron and other job  
replacement).

My first attempt was to create a launchd job and place it into  
SystemDaemons, but that failed. There's no way to sudo between the  
guest and host, so even if you're an admin user, you can't hit  
certain directories.

But I was able to create a job (just a plist file, xml) and drop it  
into the active user's LaunchAgents directory. Log out, log back in,  
and the job executes.

Launchd is very flexible, allowing execution based on time or user  
events, and can include arguments. At the end of this email is the  
text of the job I used, if you want to test this yourself. If just  
launches TextEdit.app at 6pm.

I reported this to Parallels last Friday, had a call with senior  
management Tuesday, and they released a version with better drag and  
drop security today. Instead of being a default option, the first  
time a user attempts to drag and drop they're prompted to enable the  
feature, and given the option to only enable it for the desktop.  
While you can still enable it throughout the host file system, that's  
no longer the default, and there's now a more secure way to drag and  
drop.

Because of the power of launchd, I suspect there are a variety of  
ways to use this to execute arbitrary malicious code, without needing  
full admin rights or having to sudo.

Due to the naming convention of file shares between guest and host,  
it would be trivial to create a Windows binary that could detect it  
was running in a virtual machine with file sharing enabled, then move  
the files over to the host OS to execute the attack. I strongly  
suspect attacks like this are possible across multiple virtualization  
products that enable file sharing, especially full system volume  
sharing.

-Rich Mogull

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave