0% found this document useful (0 votes)

346 views

Advanced Exploitation of Simple Bugs: A Parallels Desktop Case Study (Pwn2Own2021)

This document summarizes Alisa Esage's presentation on exploiting a bug in Parallels Desktop for Mac. The presentation covered relevant theory on hypervisor threat models and guest services architectures. It discussed the architecture and internals of Parallels Desktop. Esage described reverse engineering the Parallels Toolgate protocol and finding a bug in how it handled shared folders. The presentation concluded by detailing how Esage developed an exploit targeting this bug to achieve code execution on the host system and win the Parallels category at Pwn2Own 2021.

Uploaded by

Tấn VTr

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

346 views

Advanced Exploitation of Simple Bugs: A Parallels Desktop Case Study (Pwn2Own2021)

Uploaded by

Tấn VTr

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 48

Advanced Exploitation of

Simple Bugs
A Parallels Desktop Case Study
(Pwn2Own2021)

Alisa Esage
Zero Day Engineering Project
Livestream 2021
About me
● Offensive Vuln Research & Advanced Exploits
○ Browsers, Kernels, Basebands, Hypervisors...
○ Hard targets for profit
○ Bug bounties for fun
○ Vendor acknowledgements: Microsoft, Google,
Mozilla, Oracle…
○ Phrack author
● Pwn2Own 2021 Virtualization winner 󰗔
○ Parallels Desktop for Mac
● Zero Day Engineering Project – Training &
Intelligence http://zerodayengineering.com
○ Training & mini-classes
○ R&D
● Relevant Theory
○ Hypervisor Threat Model
○ Guest Services
○ Protocols & Tech

Agenda ● Parallels Desktop

○ Architecture & Internals
○ Parallels Toolgate RE
○ Guest Additions
● The Bug
All materials in this presentation are
based on the author’s own independent
● The Exploit
work, views and analysis
Part 1

Relevant Theory
Hypervisor Threat Model
Local EoP VM escapes UHCI, OHCI,
xHCI, eHCI
Hypercall interface 3D/2D acceleration USB Shadow PTE
Hardware VMX Shaders PCI Nested page tables
DHCP, TFPT, PXE Classical models: Note on hardware
Privileged drivers Graphics Buses MMU virtualization
boot, zero-conf E1000, Virtio, DEC...

mess
Technological
virtualization support

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals Synthetic models,
CPU virtualization
hypercall-based IO

Host modules Guest services Virtualized devices VMM

Hypercall MYTH ALERT
handlers

Hypercall interface Interfaces Extensions protocols

Attack surface

Hypercall interface 3D/2D acceleration USB Shadow PTE

Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocol

Guest services architecture (example: GL)

GPU User System

Guest services (backend) app API

GA: 3d GA: file

graphics system
Emulated and para
hooks hooks
devices

Hypercall interface kernel

VMM module

HW Hypervisor VM Users
RPC protocols
Guest additions / Virtualization tools
Part 2

Parallels Desktop
Parallels Desktop Architecture vs. The Model
Local EoP VM escapes

Hypercall interface 3D/2D acceleration USB Shadow PTE

Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocols

parallels_symbolize.py
Parallels research tip: verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools & Toolgate
Toolgate protocol
Part 3

The Bug
Reverse-Engineering Parallels Toolgate

zerodayengineering.com
Toolgate Request Handlers

zerodayengineering.com
Parallels Shared Folders

zerodayengineering.com
Parsing SF hypercalls

zerodayengineering.com
The Bug

zerodayengineering.com
Part 4

The Exploit
prl_fs

zerodayengineering.com
Prl_fs guest <> hypervisor

zerodayengineering.com
SF protocol

zerodayengineering.com
Reaching the bug

zerodayengineering.com
Not so easy…

zerodayengineering.com
prl_pwn kernel module

zerodayengineering.com
prl_pwn kernel module (imports)

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
prl_pwn.py

zerodayengineering.com
Toolgate protocol primitives – user side

zerodayengineering.com
Toolgate protocol primitives – hypervisor side

zerodayengineering.com
Talking to the hypervisor

zerodayengineering.com
Emulating the protocol

zerodayengineering.com
Execute payload

zerodayengineering.com
VMware shared folders (CVE-2007-1744)
● Directory traversal CVE-2008-0923: directory
● Implementation uses traversal #2
MultiByteToWideChar() API
● Path sanitization is bypassed ● Improperly patched
by injecting a unicode ‘..’ CVE-2007-1744
● Path sanitization is bypassed

zerodayengineering.com
substring as
“%c0%2e%c0%2e” by injecting
“0xc20x2e0xc20x2e”

Literally the first case study slide

in my training “Hypervisor
Vulnerability Research”...
zerodayengineering.com
Thank you
Twitter: @alisaesage
Email: [email protected]

Instant download Cloud Computing: Theory and Practice 3rd Edition Dan C. Marinescu pdf all chapter
100% (3)
Instant download Cloud Computing: Theory and Practice 3rd Edition Dan C. Marinescu pdf all chapter
41 pages
Secret History The Story of Cryptology
100% (1)
Secret History The Story of Cryptology
641 pages
Cloud Computing Theory and Practice 3rd Edition Dan C. Marinescu Download PDF
100% (3)
Cloud Computing Theory and Practice 3rd Edition Dan C. Marinescu Download PDF
49 pages
Skybox Virtual Appliance Quick Start Guide
No ratings yet
Skybox Virtual Appliance Quick Start Guide
45 pages
TAXONOMY OF VIRTUALIZATION TECHNIQUES - by Arman
91% (11)
TAXONOMY OF VIRTUALIZATION TECHNIQUES - by Arman
5 pages
ATAK Civilian ATAK Civilian: Software User Manual 28 July 2021
No ratings yet
ATAK Civilian ATAK Civilian: Software User Manual 28 July 2021
56 pages
ZDE2021 AdvancedEasyPwn2Own2021
No ratings yet
ZDE2021 AdvancedEasyPwn2Own2021
49 pages
Reverse Engineering
100% (1)
Reverse Engineering
46 pages
Speedpwning VMware Workstation
No ratings yet
Speedpwning VMware Workstation
144 pages
2021 Sthack Windows Lpe
No ratings yet
2021 Sthack Windows Lpe
68 pages
Unit 2 Cloud Computing
No ratings yet
Unit 2 Cloud Computing
20 pages
CYBR473_2023_Anti_VM
No ratings yet
CYBR473_2023_Anti_VM
40 pages
A Dive in To Hyper-V Architecture and Vulnerabilities - Slides (BlackHat 2018)
No ratings yet
A Dive in To Hyper-V Architecture and Vulnerabilities - Slides (BlackHat 2018)
66 pages
Week 2 - Lecture
No ratings yet
Week 2 - Lecture
43 pages
Jonathan Brossard - Breaking Virtualization 8088 Mode - Ruxcon 2010
No ratings yet
Jonathan Brossard - Breaking Virtualization 8088 Mode - Ruxcon 2010
86 pages
Virtualization Io
No ratings yet
Virtualization Io
16 pages
Joanna Rutkowska - Security Challenges in Virtualized Environments
No ratings yet
Joanna Rutkowska - Security Challenges in Virtualized Environments
97 pages
Ruby Metasploit Content
No ratings yet
Ruby Metasploit Content
7 pages
1 Virtual Ization
No ratings yet
1 Virtual Ization
35 pages
Jonathan Brossard - H2HC 2013
No ratings yet
Jonathan Brossard - H2HC 2013
52 pages
Phrack Magazine
No ratings yet
Phrack Magazine
25 pages
Virtualization
No ratings yet
Virtualization
33 pages
CC 2
No ratings yet
CC 2
7 pages
Exploiting Device Drivers
No ratings yet
Exploiting Device Drivers
20 pages
Bhyve Hypervisor (Bsdcan 2011)
No ratings yet
Bhyve Hypervisor (Bsdcan 2011)
15 pages
Virt Terminology
No ratings yet
Virt Terminology
30 pages
Not in Deep 2. in Depth Test
No ratings yet
Not in Deep 2. in Depth Test
38 pages
Operating Systems
No ratings yet
Operating Systems
49 pages
L03 Virtualization
No ratings yet
L03 Virtualization
42 pages
Labe4 - Exploit W7 PC (Bajado de Int)
No ratings yet
Labe4 - Exploit W7 PC (Bajado de Int)
14 pages
Mod 1 Presentation1 DualP
No ratings yet
Mod 1 Presentation1 DualP
48 pages
Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform
From Everand
Windows Server 2012 Hyper-V: Deploying Hyper-V Enterprise Server Virtualization Platform
Zahir Hussain Shah
No ratings yet
Automated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)
No ratings yet
Automated in Memory Malware Rootkit Detection Via Binary Analysis and Machine Learning (Slides)
111 pages
CC New Virtulization
No ratings yet
CC New Virtulization
48 pages
Ch03 Types and Application of Virtualization
No ratings yet
Ch03 Types and Application of Virtualization
17 pages
Us 18 Bulazel Windows Offender Reverse Engineering Windows Defenders Antivirus Emulator
No ratings yet
Us 18 Bulazel Windows Offender Reverse Engineering Windows Defenders Antivirus Emulator
225 pages
Software and Hardware Support For Network Virtualization, Part 1
No ratings yet
Software and Hardware Support For Network Virtualization, Part 1
16 pages
Cloud Computing (CSE8146) : Working With Private Cloud
No ratings yet
Cloud Computing (CSE8146) : Working With Private Cloud
83 pages
C-20 - CCL Experiment No 2A - VM Ware - New
No ratings yet
C-20 - CCL Experiment No 2A - VM Ware - New
13 pages
DEFCON 26 Xiaolong Bai and Min Zheng One Bite and All Your Dreams Will Come True Updated
No ratings yet
DEFCON 26 Xiaolong Bai and Min Zheng One Bite and All Your Dreams Will Come True Updated
74 pages
Unit 1-3
No ratings yet
Unit 1-3
201 pages
Eurobsdcon2024 Hshoexer Confidential Computing
No ratings yet
Eurobsdcon2024 Hshoexer Confidential Computing
43 pages
Next Generation of Virtualization Technology Part 7 of 8
No ratings yet
Next Generation of Virtualization Technology Part 7 of 8
12 pages
INTRO
No ratings yet
INTRO
8 pages
Data-Level Parallelism Vector and GPU
No ratings yet
Data-Level Parallelism Vector and GPU
6 pages
A Primer On Hardware Prefetching
No ratings yet
A Primer On Hardware Prefetching
69 pages
Architecture1 1 (2012)
No ratings yet
Architecture1 1 (2012)
87 pages
Recon22 Next Gen LyqHkvB
No ratings yet
Recon22 Next Gen LyqHkvB
232 pages
ChatGPT For Cybersecurity 3 1673855733
No ratings yet
ChatGPT For Cybersecurity 3 1673855733
40 pages
Reverse Engineering Roadmap
No ratings yet
Reverse Engineering Roadmap
7 pages
exploit reversing
No ratings yet
exploit reversing
109 pages
Lab 19 Metasploit
100% (1)
Lab 19 Metasploit
11 pages
Attacking The Windows Kernel
No ratings yet
Attacking The Windows Kernel
36 pages
Virtualization and Cloud Computing: Norman Wilde Thomas Huber
No ratings yet
Virtualization and Cloud Computing: Norman Wilde Thomas Huber
69 pages
A1386673771 17671 22 2020 Lecture1-21 PDF
No ratings yet
A1386673771 17671 22 2020 Lecture1-21 PDF
201 pages
Hybrid Storage Solutions
100% (1)
Hybrid Storage Solutions
76 pages
D1T1 - Modern Techniques to Deobfuscate UEFIBIOS Malware - Alexandre Borges
No ratings yet
D1T1 - Modern Techniques to Deobfuscate UEFIBIOS Malware - Alexandre Borges
89 pages
Unit-1 Part-2
No ratings yet
Unit-1 Part-2
13 pages
11. Compute - Part 2
No ratings yet
11. Compute - Part 2
56 pages
Chapter 2
No ratings yet
Chapter 2
45 pages
Xvisor 140810103501 Phpapp01
No ratings yet
Xvisor 140810103501 Phpapp01
38 pages
Hardware Hacking Update
No ratings yet
Hardware Hacking Update
26 pages
45145
No ratings yet
45145
4 pages
S62256 - Demystify CUDA Debugging and Performance with Powerful Developer Tools
No ratings yet
S62256 - Demystify CUDA Debugging and Performance with Powerful Developer Tools
44 pages
Microsoft Hyper-V Cluster Design
From Everand
Microsoft Hyper-V Cluster Design
Eric Siron
No ratings yet
Qradar Siem 7.2 Windows Event Collection Overview: Panelists
No ratings yet
Qradar Siem 7.2 Windows Event Collection Overview: Panelists
24 pages
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
No ratings yet
User Evidencecollection CC Evidence Collection Checklist v2-2021-11!23!02!35!16
71 pages
Cobalt Strike Tlpwhite
No ratings yet
Cobalt Strike Tlpwhite
52 pages
Understanding Apple Mac Security
No ratings yet
Understanding Apple Mac Security
40 pages
Nucleus: Dissecting The Nucleus TCP/IP Stack
No ratings yet
Nucleus: Dissecting The Nucleus TCP/IP Stack
27 pages
Cybersecurity Incident & Vulnerability Response Playbooks
No ratings yet
Cybersecurity Incident & Vulnerability Response Playbooks
43 pages
A Policy System For Simultaneous Multiaccess With Host Identity Protocol
No ratings yet
A Policy System For Simultaneous Multiaccess With Host Identity Protocol
7 pages
Sessions
No ratings yet
Sessions
147 pages
Servlet
No ratings yet
Servlet
112 pages
WP2016 1-3 3 Study On Security Aspects of Virtualization PDF
100% (1)
WP2016 1-3 3 Study On Security Aspects of Virtualization PDF
97 pages
Cloud Lab Record
No ratings yet
Cloud Lab Record
54 pages
OS Android
No ratings yet
OS Android
37 pages
CS3 - Virtualization Continued
No ratings yet
CS3 - Virtualization Continued
54 pages
Sles Virtualization With Xen
No ratings yet
Sles Virtualization With Xen
132 pages
Cloud Computing imp1-merged (1)
No ratings yet
Cloud Computing imp1-merged (1)
5 pages
AL3452 OS Unit-5
No ratings yet
AL3452 OS Unit-5
25 pages
Cloud Computing - Midsem
No ratings yet
Cloud Computing - Midsem
591 pages
Recent Trends in Operating Systems and Their Applicability To HPC
No ratings yet
Recent Trends in Operating Systems and Their Applicability To HPC
7 pages
CC Question Bank with answers
No ratings yet
CC Question Bank with answers
27 pages
Question Bank
No ratings yet
Question Bank
2 pages
VMX Up and Running: Day One
No ratings yet
VMX Up and Running: Day One
94 pages
UNIT-3 CLOUD COMPUTING(EEE IV-I)
No ratings yet
UNIT-3 CLOUD COMPUTING(EEE IV-I)
23 pages
Network-Aware Virtual Machine Placement
No ratings yet
Network-Aware Virtual Machine Placement
58 pages
Cs8791 Cloud Computing Unit2 Notes
No ratings yet
Cs8791 Cloud Computing Unit2 Notes
37 pages
MigrationOflongrunningtasks Oknodle
No ratings yet
MigrationOflongrunningtasks Oknodle
6 pages
WINSEM2022-23 CSE1032 TH VL2022230504207 Reference Material I 10-01-2023 Taxonomy of Virtualization
No ratings yet
WINSEM2022-23 CSE1032 TH VL2022230504207 Reference Material I 10-01-2023 Taxonomy of Virtualization
94 pages
Xen Virtualization - Installation & Configuration HOWTO
No ratings yet
Xen Virtualization - Installation & Configuration HOWTO
5 pages
Virtualization Assig
No ratings yet
Virtualization Assig
29 pages
Server Virtualization Architecture and Implementation: by Jeff Daniels
No ratings yet
Server Virtualization Architecture and Implementation: by Jeff Daniels
5 pages
CC Unit 2-1
No ratings yet
CC Unit 2-1
7 pages
Vir Unit 2
No ratings yet
Vir Unit 2
16 pages
Cloud Computing Presentation Notes
No ratings yet
Cloud Computing Presentation Notes
60 pages
Cloud Computing Quiz 2
No ratings yet
Cloud Computing Quiz 2
2 pages
Xen and The Art of Virtualization
No ratings yet
Xen and The Art of Virtualization
20 pages
NCC Group Understanding Hardening Linux Containers-1.0
No ratings yet
NCC Group Understanding Hardening Linux Containers-1.0
122 pages
5 Virtualization Structure Tools and Mechanisms
No ratings yet
5 Virtualization Structure Tools and Mechanisms
71 pages
AWS Admin - AWS Amazon Machine(AMI)
No ratings yet
AWS Admin - AWS Amazon Machine(AMI)
47 pages