Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Minor Virtualization Vulnerability

From: Rich Mogull <rmogull-dd () securosis com>
Date: Fri, 16 Feb 2007 12:48:27 -0700
Yep- should have thought of that first. I have mine locked down, so  
forgot it's open on most systems.


On Feb 16, 2007, at 12:21 PM, K F (lists) wrote:


Just drop an InputManager onto the file system.
-KF


Rich Mogull wrote:

Last week I accidentally discovered a vulnerability in default   
installations of Parallels that allows manipulation of the host   
operating system when it's OS X, leading to code execution.  
Parallels  just changed their default options in the latest  
release to reduce  the chances of this attack, but it's still  
possible if the user  deliberately enables drag and drop  
throughout the entire file system.

Last Friday Brian Krebs emailed me when he noticed his entire host  
OS  file system being shared with the guest OS (OS X host,  
Windows  guest). According to the Parallels forums, this was a  
known issue. By  default, Parallels Desktop for Mac enabled Drag  
and Drop for guest  operating systems. This creates a file share  
called .psf, which  allows complete access to the host with the  
user's current  permissions level.

But just dropping an application into /Applications doesn't allow   
execution- I didn't track down why, but I think only read and  
write  were enabled.

After poking around I figured out that code execution, of a sort,  
is  possible through manipulation of launchd (the OS X cron and  
other job  replacement).

My first attempt was to create a launchd job and place it into   
SystemDaemons, but that failed. There's no way to sudo between  
the  guest and host, so even if you're an admin user, you can't  
hit  certain directories.

But I was able to create a job (just a plist file, xml) and drop  
it  into the active user's LaunchAgents directory. Log out, log  
back in,  and the job executes.

Launchd is very flexible, allowing execution based on time or  
user  events, and can include arguments. At the end of this email  
is the  text of the job I used, if you want to test this yourself.  
If just  launches TextEdit.app at 6pm.

I reported this to Parallels last Friday, had a call with senior   
management Tuesday, and they released a version with better drag  
and  drop security today. Instead of being a default option, the  
first  time a user attempts to drag and drop they're prompted to  
enable the  feature, and given the option to only enable it for  
the desktop.  While you can still enable it throughout the host  
file system, that's  no longer the default, and there's now a more  
secure way to drag and  drop.

Because of the power of launchd, I suspect there are a variety of   
ways to use this to execute arbitrary malicious code, without  
needing  full admin rights or having to sudo.

Due to the naming convention of file shares between guest and  
host,  it would be trivial to create a Windows binary that could  
detect it  was running in a virtual machine with file sharing  
enabled, then move  the files over to the host OS to execute the  
attack. I strongly  suspect attacks like this are possible across  
multiple virtualization  products that enable file sharing,  
especially full system volume  sharing.

-Rich Mogull

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave






_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: