Parallels Desktop 17 for Mac empowers users to run Windows applications on a Mac, more smoothly and faster than ever. Bringing exceptional speed and graphic improvements, it includes an enhanced Windows gaming experience, together with better resource management and visibility. Parallels Desktop 17 for Mac, now a universal binary application, is optimized for the highly anticipated Windows 11 and macOS Monterey operating systems. 10, 2021 (GLOBE NEWSWIRE) - Parallels, a global leader in cross-platform solutions, announces the launch of Parallels® Desktop 17 for Mac ( /desktop), the latest version of its powerful solution to run native Windows applications on Mac computers with Apple M1¹ and Intel chip. Below is a debug log of the VMM page fault when the OOB read hits an unmapped kernel address.BELLEVUE, Wash., Aug. If thread A updates the SharedMem->EFIVar.datasize after the status is set by QueryVariableInfo() in the user space but before the VMM copies data using WriteLinear(), an out-of-bounds read can be triggered. Thread B – Keep sending QueryVariableInfo() requests, which sets status to 0. Thread A – Keep sending SetVariable() request with arbitrary data size value > 0x1000 bytes that updates SharedMem->EFIVar.datasize but always returns without entering the worker process due to the validation request.datasize > 0x1000. As there are no state changing operations, QueryVariableInfo() is ideal for triggering the bug. It also sets the status to 0 when the expected data size equals 24. The simplest request type turned out to be QueryVariableInfo(), which returns the maximum storage size, remaining storage size, and maximum size of a single UEFI variable. Otherwise EFIVar.datasize is set to 0 and status is set to a non-zero error code. Once the analysis is over, search the firmware for the hypercall number for invoking OTGHandleGenericCommand (0x7B6AF8E).ĮFIVar.datasize is updated or validated in the user space and status is set to 0 only when a request is successful. This may take a while, but it does work well. To analyze the firmware, decompress the file skipping the first 12 bytes and load it using the efiXplorer IDA Pro plugin. Just like the VMM Mach-O binary, it is a zlib-compressed binary starting with 12 bytes of magic header. The UEFI firmware that ships with Parallels Desktop (efi64d.bin and efi64.bin) is based on EDK2. The VMM and the worker process communicate using shared memory. The UEFI runtime variable services in Parallels Desktop include three components: UEFI firmware, a hypercall interface in the VMM, and an API through which the VMM makes requests to the host user space prl_vm_app worker process. The debug messages quickly reveal that RDX = 9 handles UEFI service requests for reading and writing UEFI variables. OTGHandleGenericCommand() further supports multiple guest operations based on the value set in register RDX. The code path of interest for this writeup is Em_RDPMC_func()->HandleOpenToolsGateRequest()->OTGHandleGenericCommand(), which can be reached by setting RAX = 0x7B6AF8E and RBX = 7. HandleOpenToolsGateRequest() dispatches the request based on the value of register RAX and sub-commands in other registers. The VMM also has an alternate code path PortToolsGateOutPortFunc()->HandleOpenToolsGateRequest(), reachable by writing to I/O port 0圎4. The status of the request is returned through register RAX. The arguments to the hypercall are expected through the general-purpose registers RAX, RBX, RCX, RDX, RDI and RSI. When the guest executes an RDPMC instruction, the VMM calls Em_RDPMC_func()->HandleOpenToolsGateRequest() to process the request. The details in this blog correspond to Parallels Desktop 15.1.5 running on a macOS Catalina 10.15.7 host. With this hypervisor there is a considerable amount of guest-to-host kernel attack surface, making it an interesting target. Prior to macOS Big Sur, the Parallels proprietary hypervisor is used by default. Parallels Desktop has support for two Virtual Machine Monitors (VMM): Apple’s built-in hypervisor and the Parallels proprietary hypervisor. This blog post gives a brief description of the interface and discusses a couple of vulnerabilities ( CVE-2021-31424/ZDI-21-434 and CVE-2021-31427/ZDI-21-435) I found in UEFI variable services. Though the HYPER-CUBE: High-Dimensional Hypervisor Fuzzing paper by Ruhr-University Bochum has a brief mention of this interface, we have not seen many details made public. More interestingly, this interface is accessible even to an unprivileged guest user. Parallels Desktop implements a hypercall interface using an RDPMC instruction (“Read Performance-Monitoring Counter”) for communication between guest and host.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |