![]() My research into Parallels continues, and I’ll blog about any significant findings in the future. With Parallels Desktop being one of the major virtualization solutions used in macOS, it’s understandable why it can be an enticing target for threat actors. We’ve already published seven advisories in the product in 2023 to go along with the 10 we published in 2022. Parallels Desktop is a popular target for researchers. This is specifically noticed in the handling of the CDPATH and GLOBIGNORE environment variables. In addition to that, beware of the differences in privileged mode between Apple bash and the upstream version. For any bash scripts executed through a setuid wrapper, one must ensure privileged mode “-p” is enabled. Bash is deprecated on macOS and likely exists only for backward compatibility. The official announcement for the same can be found here. Since macOS Catalina, zsh is used as the default shell. Considering this, the next interesting target is the watchdog script invoked from the embedded script as seen below: However, any further subshell launched from this bash shell will also have all the environment variables as well as the privileges of the parent shell, which is running as root and has the group privileges set after the call to disable_priv_mode. In such cases, bash identifies this as setgid execution, drops group privileges, and does not trust the environment. Because of this, the real group identifier is not equal to that of the effective group identifier when bash is invoked. This is because Parallels Service also has the setgid bit set and there is no corresponding call setgid(getegid()) as there was for the uid. Interestingly, the execution of an embedded shell script turned out to be not immediately vulnerable. Therefore, the bash shell spawned as a child process has access to all the environment variables set by the user who launched Parallels Service, who may be an unprivileged user. The execv function is a wrapper around execve, which fetches the environment using _NSGetEnviron() and passes it to execve. Here’s the relevant source code in bash that can be found in shell.c file: In privileged mode, bash does not drop the effective privileges and ignores sensitive variables and shell functions from the environment. The same is also applicable for group identifiers. The effective user identifier is reset by setting it to the value of the real user identifier. A local unprivileged user with control over environment variables can exploit this bug to execute code with the privileges of root.īash shell drops privileges when started with the effective user identifier not equal to that of the real user identifier. This is because bash is not aware of the setuid or setgid execution and trusts its environment. The problem with this implementation is that sensitive environment variables such as BASH_ENV, ENV, SHELLOPTS, BASHOPTS, CDPATH, GLOBIGNORE, and other shell functions are processed by bash. In the case of Parallels Desktop, the setuid binaries use the setuid() system call to set the real user identifier to that of the effective user identifier.
0 Comments
Leave a Reply. |