Advanced Exploitation of

Simple Bugs
A Parallels Desktop Case Study
(Pwn2Own2021)

Alisa Esage
Zero Day Engineering Project
Livestream 2021
About me
● Offensive Vuln Research & Advanced Exploits
○ Browsers, Kernels, Basebands, Hypervisors...
○ Hard targets for profit
○ Bug bounties for fun
○ Vendor acknowledgements: Microsoft, Google,
Mozilla, Oracle…
○ Phrack author
● Pwn2Own 2021 Virtualization winner 󰗔
○ Parallels Desktop for Mac
● Zero Day Engineering Project – Training &
Intelligence http://zerodayengineering.com
○ Training & mini-classes
○ R&D
 ● Relevant Theory
○ Hypervisor Threat Model
○ Guest Services
○ Protocols & Tech

Agenda ● Parallels Desktop

○ Architecture & Internals
○ Parallels Toolgate RE
○ Guest Additions
● The Bug
All materials in this presentation are
based on the author’s own independent
● The Exploit
work, views and analysis
Part 1

Relevant Theory
 Hypervisor Threat Model
Local EoP VM escapes UHCI, OHCI,
xHCI, eHCI
Hypercall interface 3D/2D acceleration USB Shadow PTE
Hardware VMX Shaders PCI Nested page tables
DHCP, TFPT, PXE Classical models: Note on hardware
Privileged drivers Graphics Buses MMU virtualization
boot, zero-conf E1000, Virtio, DEC...

mess
Technological
virtualization support

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals Synthetic models,
CPU virtualization
hypercall-based IO

Host modules Guest services Virtualized devices VMM

Hypercall MYTH ALERT
handlers

Hypercall interface Interfaces Extensions protocols

 Attack surface

Hypercall interface 3D/2D acceleration USB Shadow PTE

Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocol

 Guest services architecture (example: GL)

GPU User System

Guest services (backend) app API

GA: 3d GA: file

graphics system
Emulated and para
hooks hooks
devices

Hypercall interface kernel

VMM module

HW Hypervisor VM Users
RPC protocols
Guest additions / Virtualization tools
Part 2

Parallels Desktop
 Parallels Desktop Architecture vs. The Model
Local EoP VM escapes

Hypercall interface 3D/2D acceleration USB Shadow PTE

Hardware VMX Shaders PCI Nested page tables
Privileged drivers Graphics Buses MMU virtualization

Inter-VM networking Shared folders Emulated devices ISA emulation

Printing services Shared everything Paravirtualized vAPIC
Etc. Rich functionality Peripherals CPU virtualization

Host modules Guest services Virtualized devices VMM

Hypercall interface Interfaces Extensions protocols

parallels_symbolize.py
Parallels research tip: verbose debug logs
Parallels virtual hardware
init_devices
Parallels emulated devices
Parallels Toolgate
Parallels Tools & Toolgate
Toolgate protocol
Part 3

The Bug
Reverse-Engineering Parallels Toolgate

zerodayengineering.com
Toolgate Request Handlers

zerodayengineering.com
Parallels Shared Folders

zerodayengineering.com
 Parsing SF hypercalls

zerodayengineering.com
 The Bug

zerodayengineering.com
Part 4

The Exploit
 prl_fs

zerodayengineering.com
Prl_fs guest <> hypervisor

zerodayengineering.com
 SF protocol

zerodayengineering.com
 Reaching the bug

zerodayengineering.com
 Not so easy…

zerodayengineering.com
 prl_pwn kernel module

zerodayengineering.com
prl_pwn kernel module (imports)

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
Reverse-engineering the protocol

zerodayengineering.com
 prl_pwn.py

zerodayengineering.com
Toolgate protocol primitives – user side

zerodayengineering.com
Toolgate protocol primitives – hypervisor side

zerodayengineering.com
Talking to the hypervisor

zerodayengineering.com
Emulating the protocol

zerodayengineering.com
 Execute payload

zerodayengineering.com
 VMware shared folders (CVE-2007-1744)
● Directory traversal CVE-2008-0923: directory
● Implementation uses traversal #2
MultiByteToWideChar() API
● Path sanitization is bypassed ● Improperly patched
by injecting a unicode ‘..’ CVE-2007-1744
● Path sanitization is bypassed

zerodayengineering.com
substring as
“%c0%2e%c0%2e” by injecting
“0xc20x2e0xc20x2e”

Literally the first case study slide

in my training “Hypervisor
Vulnerability Research”...
 zerodayengineering.com
Thank you
Twitter: @alisaesage
Email: contact@zerodayengineering.com