Hacker News new | past | comments | ask | show | jobs | submit login
Simple guest to host VM escape for Parallels Desktop (cr4.sh)
93 points by lelf on Nov 15, 2014 | hide | past | favorite | 8 comments



Lot's of props to the author for no hyperbole. Clean write-up with an essentially admission that it is "working as intended but could be communicated better."

Far too many security articles find "working as intended" functionality and make it sound as if it is a complete systems breach (e.g. "With an administrator account on Windows you can access ring 0 via uEFI!!" -- actual hyperbolic security announcement[0]).

[0] PDF: http://www.mitre.org/sites/default/files/publications/14-222...


This is why I eventually gave up on Parallels Desktop and VMWare Fusion (even after paying for both): they link way too much to the host machine (Fuse file systems, cross calling and so on). Now I just use Virtual Box. Most things I put into a virtual machine I don't expect to have a great experience with in the first place, so losing a few features is not a big sacrifice.


I've found that Parallels forces a lot of that stuff on you as a way to keep the two experiences melded together. VMware doesn't seem to be nearly as bad, especially if you don't let it do the install for you.


What I didn't really get:

Isn't this menu item (Open on Mac) defined as a (shell?) function somewhere in Windows registry? Wouldn't it be easier to invoke it through this very function instead of interacting with the driver via IOCTL?


I think the intention was to show a more general approach.

For example, he detailed how he went through the debugger step by step, other integrations besides this shell visible one could be identified and exploited based on this writeup.


From the article:

   I think that It's very unlikely that Parallels will 
   release any significant fixes or improvements for 
   described mechanisms, because any reasonable fix will 
   break the easy way of opening Windows documents on Mac.
Why not a new checkbox: "Trust the VM to open documents and execute code on the host"?

If you don't check it, the ability of the guest to execute code on the host is disabled.


Well, effectively that checkbox is already there, it just has the wrong name. So they don't need a new checkbox they just need to make it perfectly clear that the current checkbox makes some major changes to the security model that may not be entirely obvious to a naive user.

I think given the fact that Parallels is aimed at single users trying to get some interop going that the issue is not that serious but if anybody wants to use Parallels in a more hostile environment they'd be very happy to see this announcement in case they missed the implications of that checkbox.

Can you enable both the 'isolate windows from mac' and 'access windows folders from mac'? (You shouldn't be able to but it's not clear from the article if those options are mutually exclusive or not, it says 'in theory').


As someone who has some experience providing tech support for this, isolate windows from mac disables all kinds of host-guest interactions at once (if I remember correctly).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: