On May 2020, Parallels company has released security patch to fix the vulnerability CVE-2020-8871. Vulnerability could allow local user on the guest OS to escalate privileges and execute code on the host. Bug present in Parallels Desktop for Mac, product of Parallels.
Parallels Desktop for Mac is software providing hardware virtualization for Mac. To add another operating system to your MAC, it creates virtual machine (VM) inside mac. Then you can install another OS into MAC.
Let’s take a quick overview where vulnerability exist.
Each virtual machine on Parallels is represented by prl_vm_app process. After running POC on Mac having affected version of Parallels, it will crash prl_vm_app process. Below is the code from POC,
Image Source: thezdi
This loop will execute infinite times and writes random generated number into I/O port 0x3C4 (VGA sequencer index register) and 0x3C5(VGA sequencer data register).
Crash occurs in function sub_100185DA0
Image Source: thezdi
During initialization VGA devices allocate vga_context structure. Function tries to write data into vga_context buffer. The total length is calculated using vga_context->h * vga_context->w * sizeof(DWORD) where vga_context->h and vga_context->w are height and width for the guest VM screen resolution.
In POC port 0x3C4 and 0x3C5 are used. Port 0x3C4 acts as a selector to control what goes on in port 0x3C5. Using port 0x3C5 we can set arbitrary 16 bit value to vga_context->h and vga_context->w. It will change the total length of data in bytes which has to write in buffer vga_context->buf. However, it fails to validate new height and width which leads to Out-Of-Bounds write and crashes Parallel Desktop.
Vulnerability is exploitable, as the value of the overflow is partially controllable through port 0x3C9 (vga_context->array)
Parallels Desktop 15.1.0-47107
Vulnerability is fixed in released version of Parallel Desktop 15.1.3 (47255). To protect your system from attack, patch with recent update from Parallel company web page.
Qualys Threat Research Lab provides protection with the QID(s)# 372467. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources: