
Simple guest to host VM escape for Parallels Desktop - lelf
http://blog.cr4.sh/2014/11/simple-guest-to-host-vm-escape-for.html
======
UnoriginalGuy
Lot's of props to the author for no hyperbole. Clean write-up with an
essentially admission that it is "working as intended but could be
communicated better."

Far too many security articles find "working as intended" functionality and
make it sound as if it is a complete systems breach (e.g. "With an
administrator account on Windows you can access ring 0 via uEFI!!" \-- actual
hyperbolic security announcement[0]).

[0] PDF:
[http://www.mitre.org/sites/default/files/publications/14-222...](http://www.mitre.org/sites/default/files/publications/14-2221-extreme-
escalation-presentation.pdf)

------
jmount
This is why I eventually gave up on Parallels Desktop and VMWare Fusion (even
after paying for both): they link way too much to the host machine (Fuse file
systems, cross calling and so on). Now I just use Virtual Box. Most things I
put into a virtual machine I don't expect to have a great experience with in
the first place, so losing a few features is not a big sacrifice.

~~~
btgeekboy
I've found that Parallels forces a lot of that stuff on you as a way to keep
the two experiences melded together. VMware doesn't seem to be nearly as bad,
especially if you don't let it do the install for you.

------
gear54rus
What I didn't really get:

Isn't this menu item (Open on Mac) defined as a (shell?) function somewhere in
Windows registry? Wouldn't it be easier to invoke it through this very
function instead of interacting with the driver via IOCTL?

~~~
CraigJPerry
I think the intention was to show a more general approach.

For example, he detailed how he went through the debugger step by step, other
integrations besides this shell visible one could be identified and exploited
based on this writeup.

------
A1kmm
From the article:

    
    
       I think that It's very unlikely that Parallels will 
       release any significant fixes or improvements for 
       described mechanisms, because any reasonable fix will 
       break the easy way of opening Windows documents on Mac.
    

Why not a new checkbox: "Trust the VM to open documents and execute code on
the host"?

If you don't check it, the ability of the guest to execute code on the host is
disabled.

~~~
jacquesm
Well, effectively that checkbox is already there, it just has the wrong name.
So they don't need a new checkbox they just need to make it perfectly clear
that the current checkbox makes some major changes to the security model that
may not be entirely obvious to a naive user.

I think given the fact that Parallels is aimed at single users trying to get
some interop going that the issue is not that serious but if anybody wants to
use Parallels in a more hostile environment they'd be very happy to see this
announcement in case they missed the implications of that checkbox.

Can you enable both the 'isolate windows from mac' and 'access windows folders
from mac'? (You shouldn't be able to but it's not clear from the article if
those options are mutually exclusive or not, it says 'in theory').

~~~
gear54rus
As someone who has some experience providing tech support for this, _isolate
windows from mac_ disables all kinds of host-guest interactions at once (if I
remember correctly).

