[P.O.D]

Parallels Desktop for Mac

Уязвимость позволяет локальному пользователю обойти некоторые ограничения безопасности.

Уязвимость существует из-за того, что Drag-and-Drop функционал в VM (виртуальной машине) реализован через общие папки с доступом на запись и чтение к основной системе. Злоумышленник может внедрить злонамеренное ПО на виртуальную машину и получить доступ к файлам основной системы.

кому интересно то вот :
Last week I accidentally discovered a vulnerability in default
installations of Parallels that allows manipulation of the host
operating system when it's OS X, leading to code execution. Parallels
just changed their default options in the latest release to reduce
the chances of this attack, but it's still possible if the user
deliberately enables drag and drop throughout the entire file system.

Last Friday Brian Krebs emailed me when he noticed his entire host OS
file system being shared with the guest OS (OS X host, Windows
guest). According to the Parallels forums, this was a known issue. By
default, Parallels Desktop for Mac enabled Drag and Drop for guest
operating systems. This creates a file share called .psf, which
allows complete access to the host with the user's current
permissions level.

But just dropping an application into /Applications doesn't allow
execution- I didn't track down why, but I think only read and write
were enabled.

After poking around I figured out that code execution, of a sort, is
possible through manipulation of launchd (the OS X cron and other job
replacement).

My first attempt was to create a launchd job and place it into
SystemDaemons, but that failed. There's no way to sudo between the
guest and host, so even if you're an admin user, you can't hit
certain directories.

But I was able to create a job (just a plist file, xml) and drop it
into the active user's LaunchAgents directory. Log out, log back in,
and the job executes.

Launchd is very flexible, allowing execution based on time or user
events, and can include arguments. At the end of this email is the
text of the job I used, if you want to test this yourself. If just
launches TextEdit.app at 6pm.

I reported this to Parallels last Friday, had a call with senior
management Tuesday, and they released a version with better drag and
drop security today. Instead of being a default option, the first
time a user attempts to drag and drop they're prompted to enable the
feature, and given the option to only enable it for the desktop.
While you can still enable it throughout the host file system, that's
no longer the default, and there's now a more secure way to drag and
drop.

Because of the power of launchd, I suspect there are a variety of
ways to use this to execute arbitrary malicious code, without needing
full admin rights or having to sudo.

Due to the naming convention of file shares between guest and host,
it would be trivial to create a Windows binary that could detect it
was running in a virtual machine with file sharing enabled, then move
the files over to the host OS to execute the attack. I strongly
suspect attacks like this are possible across multiple virtualization
products that enable file sharing, especially full system volume
sharing.