Scribd
Upload
15 views

ZDE2021 AdvancedEasyPwn2Own2021

Uploaded by

karlos
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
15 views

ZDE2021 AdvancedEasyPwn2Own2021

Uploaded by

karlos
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 49

Advanced Exploitation of

Simple Bugs
A Parallels Desktop Case Study
(Pwn2Own2021)

Alisa Esage
Zero Day Engineering Project
Livestream 2021
About me
● Offensive Vuln Research & Advanced Exploits
○ Browsers, Kernels, Basebands, Hypervisors...
○ Hard targets for profit
○ Bug bounties for fun
○ Vendor acknowledgements: Microsoft, Google,
Mozilla, Oracle…
○ Phrack author
● Pwn2Own 2021 Virtualization winner 󰗔
○ Parallels Desktop for Mac
● Zero Day Engineering Project – Training &
Intelligence http://zerodayengineering.com
○ Training & mini-classes
○ R&D
At Pwn2Own Vancouver 2021 I have Logic security vulnerabilities (i.e. Despite the bug was quite simple, the
demonstrated an 0day VM escape exploit those that can be exploited without any exploit turned out to be not so easy.
for Parallels Desktop hypervisor. The memory corruptions) are becoming Exploitation of the bug required me to
exploit chain that I developed was based increasingly important in offensive develop a kernel module for the guest OS
on logic issues. In this deep technical security research right now, as Rust and from which I was escaping,
presentation I will share the technical other memory-safe programming languages reverse-engineer some internal RPC
details of the exploit, as well as are rapidly taking over popular code protocol of the hypervisor, and emulate
various preliminary and contextual bases. When evaluating the attack surface it in the exploit code. Eventually the
knowledge related to it. of Parallels Desktop, as an expert in exploit was reliable 100% by design, and
both hypervisors and memory corruption executed arbitrary code on the host Mac.
bugs, I saw many opportunities for
During the Pwn2Own competitions it came
classical buffer overflows, but chose to
as a surprize that my exploit did not
try and find a logic bug instead. As
meet any collisions with other
hypervisors are ultra-complex low level
competition entries. Because the bug
software, exploitable logic bugs in them
itself was quite easy, I expected that at
are extremely rare. I was lucky to find
least one participant would find and
such a “one of a kind” bug.
utilize it independently in their own
Pwn2Own exploit. But it didn’t happen.
That made me aware of the fact that a bug
that looks easy does not necessarily
https://zerodayengineering.com
imply an easy discovery or an easy
/livestream/index.html
exploitation process, an estimation which
is very important for strategic aspects
of offensive security research.
● Relevant Theory
○ Hypervisor Threat Model
○ Guest Services
○ Protocols & Tech

Agenda ● Parallels Desktop


○ Architecture & Internals
○ Parallels Toolgate RE
○ Guest Additions
● The Bug
All materials in this presentation are
based on the author’s own independent
● The Exploit
work, views and analysis
Part 1

Relevant Theory
Hypervisor Threat Model
Local EoP VM escapes UHCI, OHCI,
xHCI, eHCI
Hypercall interface 3D/2D acceleration USB Shadow PTE
Hardware VMX Shaders PCI Nested page tables
DHCP, TFPT, PXE Classical models: Note on hardware
Privileged drivers Graphics Buses MMU virtualization
boot, zero-conf E1000, Virtio, DEC...

mess
Technological
virtualization support

Inter-VM networking Shared folders Emulated devices ISA emulation


Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals Synthetic models,
CPU virtualization
hypercall-based IO

Host modules Guest services Virtualized devices VMM


Hypercall MYTH ALERT
handlers

Hypercall interface Interfaces Extensions protocols


Attack surface

Hypercall interface 3D/2D acceleration USB Shadow PTE


Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation


Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocol


Guest services architecture (example: GL)

GPU User System


Guest services (backend) app API

GA: 3d GA: file


graphics system
Emulated and para
hooks hooks
devices

Hypercall interface kernel


VMM module

HW Hypervisor VM Users
RPC protocols
Guest additions / Virtualization tools
Part 2

Parallels Desktop
Parallels Desktop Architecture vs. The Model
Local EoP VM escapes

Hypercall interface 3D/2D acceleration USB Shadow PTE


Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation


Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocols


parallels_symbolize.py
Parallels research tip: verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools & Toolgate
Toolgate protocol
Part 3

The Bug
Reverse-Engineering Parallels Toolgate

zerodayengineering.com
Toolgate Request Handlers

zerodayengineering.com
Parallels Shared Folders

zerodayengineering.com
Parsing SF hypercalls

zerodayengineering.com
The Bug

zerodayengineering.com
Part 4

The Exploit
prl_fs

zerodayengineering.com
Prl_fs guest <> hypervisor

zerodayengineering.com
SF protocol

zerodayengineering.com
Reaching the bug

zerodayengineering.com
Not so easy…

zerodayengineering.com
prl_pwn kernel module

zerodayengineering.com
prl_pwn kernel module (imports)

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
prl_pwn.py

zerodayengineering.com
Toolgate protocol primitives – user side

zerodayengineering.com
Toolgate protocol primitives – hypervisor side

zerodayengineering.com
Talking to the hypervisor

zerodayengineering.com
Emulating the protocol

zerodayengineering.com
Execute payload

zerodayengineering.com
VMware shared folders (CVE-2007-1744)
● Directory traversal CVE-2008-0923: directory
● Implementation uses traversal #2
MultiByteToWideChar() API
● Path sanitization is bypassed ● Improperly patched
by injecting a unicode ‘..’ CVE-2007-1744
● Path sanitization is bypassed

zerodayengineering.com
substring as
“%c0%2e%c0%2e” by injecting
“0xc20x2e0xc20x2e”

Literally the first case study slide


in my training “Hypervisor
Vulnerability Research”...
zerodayengineering.com
Thank you
Twitter: @alisaesage
Email: [email protected]

You might also like