Advanced Exploitation of Simple Bugs

A Parallels Desktop Case Study (Pwn2Own2021)

Alisa Esage Zero Day Engineering Project

Livestream 2021

About me Offensive Vuln Research amp Advanced Exploits

Browsers Kernels Basebands Hypervisors Hard targets for profit Bug bounties for fun Vendor acknowledgements Microsoft Google

Mozilla Oraclehellip Phrack author

Pwn2Own 2021 Virtualization winner 984532 Parallels Desktop for Mac

Zero Day Engineering Project ndash Training amp Intelligence httpzerodayengineeringcom

Training amp mini-classes RampD

Agenda

Relevant Theory Hypervisor Threat Model Guest Services Protocols amp Tech

Parallels Desktop Architecture amp Internals Parallels Toolgate RE Guest Additions

The Bug The ExploitAll materials in this presentation are

based on the authorrsquos own independent work views and analysis

Part 1

Relevant Theory

Hypervisor Threat Model

Host modules Guest services Virtualized devices VMM

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

Hypercall interface Extensions protocols

UHCI OHCI xHCI eHCI

Classical models E1000 Virtio DEC

Hypercall handlers

VM escapesLocal EoP

DHCP TFPT PXE boot zero-conf

Synthetic models hypercall-based IO

Note on hardware virtualization support

MYTH ALERT

Technological m

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

Hypercall interface Extensions protocol

Guest services architecture (example GL)

Emulated and para devices

Guest services (backend)

Hypercall interface kernel module

GA 3d graphics

GA file system hooks

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Guest additions Virtualization tools

Part 2

Parallels Desktop

Parallels Desktop Architecture vs The Model

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

parallels_symbolizepy

Parallels research tip verbose debug logs

Parallels virtual hardware

init_devices

Parallels emulated devices

Parallels Toolgate

Parallels Tools amp Toolgate

Toolgate protocol

Part 3

The Bug

eering

Reverse-Engineering Parallels Toolgate

eering

Toolgate Request Handlers

eering

Parallels Shared Folders

eering

Parsing SF hypercalls

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

Prl_fs guest ltgt hypervisor

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwn kernel module

eering

prl_pwn kernel module (imports)

eering

Reverse-engineering the protocol

eering

prl_pwnpy

eering

Toolgate protocol primitives ndash user side

eering

Toolgate protocol primitives ndash hypervisor side

eering

Talking to the hypervisor

eering

Emulating the protocol

eering

Execute payload

eering

VMware shared folders (CVE-2007-1744) Directory traversal Implementation uses

MultiByteToWideChar() API Path sanitization is bypassed

by injecting a unicode lsquorsquo substring as ldquoc02ec02erdquo

CVE-2008-0923 directory traversal 2

Improperly patched CVE-2007-1744

Path sanitization is bypassed by injecting ldquo0xc20x2e0xc20x2erdquo

Literally the first case study slide in my training ldquoHypervisor Vulnerability Researchrdquo

eering

Thank youTwitter alisaesageEmail contactzerodayengineeringcom

About me Offensive Vuln Research amp Advanced Exploits

Browsers Kernels Basebands Hypervisors Hard targets for profit Bug bounties for fun Vendor acknowledgements Microsoft Google

Mozilla Oraclehellip Phrack author

Pwn2Own 2021 Virtualization winner 984532 Parallels Desktop for Mac

Zero Day Engineering Project ndash Training amp Intelligence httpzerodayengineeringcom

Training amp mini-classes RampD

Agenda

Part 1

Relevant Theory

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

UHCI OHCI xHCI eHCI

Hypercall handlers

VM escapesLocal EoP

MYTH ALERT

Technological m

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Agenda

Part 1

Relevant Theory

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

UHCI OHCI xHCI eHCI

Hypercall handlers

VM escapesLocal EoP

MYTH ALERT

Technological m

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Part 1

Relevant Theory

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

UHCI OHCI xHCI eHCI

Hypercall handlers

VM escapesLocal EoP

MYTH ALERT

Technological m

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

UHCI OHCI xHCI eHCI

Hypercall handlers

VM escapesLocal EoP

MYTH ALERT

Technological m

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Attack surface

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

GA 3d graphics

Userapp

SystemAPI

Hypervisor VMHW

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

RPC protocols

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Part 2

Parallels Desktop

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Interfaces

MMU virtualization

Shadow PTE

Nested page tables

Peripherals

Emulated devices

Paravirtualized

CPU virtualization

ISA emulation

Graphics

3D2D acceleration

Shaders

Rich functionality

Shared folders

Shared everything

Privileged drivers

Hypercall interface

Hardware VMX

Inter-VM networking

Printing services

VM escapesLocal EoP

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

init_devices

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Parallels Toolgate

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Toolgate protocol

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Part 3

The Bug

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

The Bug

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Part 4

The Exploit

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

prl_fs

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

SF protocol

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Reaching the bug

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

Not so easyhellip

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

prl_pwnpy

eering

Execute payload

eering

Execute payload

eering

Execute payload

eering

Execute payload

eering

Execute payload

eering

Execute payload

eering

Advanced Exploitation of Simple Bugs

Documents

Advanced XXE Exploitation Exercise 1 : Simple XXE (App

McGloughlin -Good Bugs, Bad Bugs

Organic Solutions for Harlequin Bugs and Other Stink Bugs

Automated Detection, Exploitation, and Elimination of Double-Fetch … · 2.3 Double Fetches and Double-Fetch Bugs In a scenario where shared memory is accessed multiple times, the

“Bugs are Bringing Bugs” - Health Sciences Centerhsc.ghs.org/.../2014/04/0304-Brenner-Bugs-Are-Bringing-Bugs.pdf“Bugs are Bringing Bugs ... •Had been working in Malawi (East

X-morphic Exploitation - Security - · PDF fileX-morphic Exploitation ... Web browser attacks have relied on fairly simple exploit code, ... Web browser exploit developers. Advanced

Bugs Happy Valentine's Day From - A Crafty Spoonful · Bugs Happy Valentine's Day From: Bugs Happy Valentine's Day From: Bugs Happy Valentine's Day From: Bugs Happy Valentine's Day

4 Predicting Bugs from History · 2011. 9. 16. · 4 Predicting Bugs from History 73 models are available. They range from the simple Nelson model [392] to more so-phisticated modelsusing

Seeding Bugs To Find Bugs

Mini 4H Bugs · Some bugs crawl on the ground, and some bugs fly in the air. Most bugs are outside, but some bugs might be in your house. There are bugs that have lots of color and

Marriage Bugs Getting the “BUGS” out of your marriage!

1 Win XP/Vista/Win7+++ Win 2000. 2 Bugs, Bugs and Bugs

Revenue Sharing: A Simple Cure for the Exploitation of

GOOD BUGS AND BAD BUGS · 2020. 1. 13. · bugs are helpful. Some bugs can be hurtful. Some bugs are both helpful and hurtful. Termites are little tiny insects that live in families,

Recording Plants for Bugs PlanSRT fO BugS wisley

CSE 127 Computer Security–Develop fix. Ideally, without introducing new bugs in the process. Properly understanding the vulnerability and exploitation techniques is necessary to

Good Bugs & Bad Bugs

Exploiting a Linux Kernel Vulnerability in the V4L2 ... · Agenda CVE-2019-18683 overview Bugs and ﬁxes Exploitation on x86_64 Hitting the race condition Control ﬂow hijack for

Disease signatures – a simple combinatorial-type exploitation of them for our own evil purposes

Giant Water Bugs, Electric Light Bugs, Lethocerus Abedus Belostoma