Full Report
Parallels Desktop is a virtualization platform on macOS. Obviously, being able to escape this would be a huge deal! They started by looking into toolgate, the protocol for communicating between the guest and host. Toolgate requests are sent to the host by writing to a physical address that corresponds with a specific I/O port. There are restrictions on what Toolgate messages userland processes can send to the host using Parallel Tools. The only operations that are allowed are file system operations to the host. Shared Applications are a Parallels feature that allow the opening of files on a Mac in a guest application, and vice versa. A file extension and URL scheme can be related to this application, with shortcuts even being created. Parallels handles syncing of running guest apps to the host. This is done as follows: Parallel Tools detects that an application is launched in the guest. A toolgate request (TG_REQUEST_FAVRUNAPPS) is made to the host to notify it of the app. If a helper exists, then the helper app is launched. If not, a new bundle is created. The app bundle is created from a template, which is filled with information supplied by the guest. This information is written to several areas, including the Info.plist of the application. This sounds like a classic attack. Privileged entity is taking in information then adding it to a location. If the input is properly santitized, it could be possible to inject malicious content into it. In turns out, that two of the fields were not sanitized of XML document data. As a result, the guest user could inject arbitrary data into the plist file. Why is this useful? The initial attack vector the author went after was LSEnvironment key to set DYLD_INSERT_LIBRARIES to force an arbitrary dylib file. Still though, this isn't enough for execution just yet. So, they were looking for arbitrary file write vulnerabilities to write a dylib file themselves then execute it. The best place to look for these bugs would be a shared folder service. The shared folders are implemented using the Toolgate functionality as well. The only thing we really have access to here is the opening, reading and writing to files. When performing these operations, there are validations that the path doesn't contain a ../, has symlinks or anything else. It looks perfect. Except, there is a time of check time of use (TOCTOU) bug here that allows for the circumvention of this check. Using this bug, an attacker can read or write to arbitrary files on the host! To bring these bugs together, we can use the arbitrary file write to create a dylib file of our choosing at a known location. Then, we can use the first bug to execute this dylib file. Damn, that's a pretty hype chain! A novel plist injection technique into a classic TOCTOU bug. Good finds and good chaining! I wonder if there are other bugs in this part of the eco-system; my guess is that there are.
Analysis Summary
# Vulnerability: Parallels Desktop Guest-to-Host Escape via Plist Injection and TOCTOU Chain
## CVE Details
- **CVE ID**: CVE-2023-27328 (Plist Injection), CVE-2023-27327 (TOCTOU File Write)
- **CVSS Score**: 8.8 (High) - per ZDI advisories
- **CWE**: CWE-94 (Improper Control of Generation of Code), CWE-367 (Time-of-Check Time-of-Use)
## Affected Systems
- **Products**: Parallels Desktop for Mac
- **Versions**: Prior to version 18.1.1
- **Configurations**: Systems with "Shared Applications" and "Shared Folders" features enabled. Exploitation of the full chain typically requires elevated (root/administrative) privileges within the Guest OS to send restricted Toolgate requests.
## Vulnerability Description
This exploit chain leverages two distinct flaws in the Parallels Toolgate protocol (the guest-to-host communication layer):
1. **CVE-2023-27328 (Plist Injection):** When a guest OS launches an application, Parallels creates a helper app bundle on the macOS host to sync the application. The host populates the bundle's `Info.plist` using guest-supplied data. Two fields—URL schemes and file extensions—failed to sanitize XML tags. An attacker can inject arbitrary XML keys, such as `LSEnvironment`, to set environment variables like `DYLD_INSERT_LIBRARIES`.
2. **CVE-2023-27327 (Arbitrary File Write TOCTOU):** The "Shared Folders" feature validates file paths to prevent directory traversal (e.g., checking for `../` or symlinks). However, a race condition exists between the path validation and the actual file opening. By rapidly swapping a directory with a symlink during this window, an attacker can bypass checks and write files to arbitrary locations on the host.
## Exploitation
- **Status**: PoC available.
- **Complexity**: Medium (Requires winning a race condition and chaining two vulnerabilities).
- **Attack Vector**: Local (Originates from within the Guest VM).
## Impact
- **Confidentiality**: High (Access to host files via arbitrary read/write).
- **Integrity**: High (Ability to modify host files and execute arbitrary code).
- **Availability**: High (Potential for host system instability).
## Remediation
### Patches
- **Parallels Desktop 18.1.1**: This version contains fixes for both CVEs. Users should update to the latest available version immediately.
### Workarounds
- Disable **Shared Applications** and **Shared Folders** in the Virtual Machine configuration settings to reduce the attack surface.
- Restrict administrative/root access within the Guest VM to prevent the transmission of raw Toolgate requests.
## Detection
- **Indicators of Compromise**:
- Unexpected `.app` bundles appearing in `~/Applications (Parallels)/`.
- `Info.plist` files within Parallels helper apps containing suspicious `LSEnvironment` or `DYLD_INSERT_LIBRARIES` entries.
- Large volumes of rapid file rename/symlink operations within shared folders.
- **Detection Methods**: Monitor for unauthorized file writes to sensitive macOS host directories by the Parallels process.
## References
- Vendor: hxxps://www[.]parallels[.]com/products/desktop/
- Original Research: hxxps://pwn[.]win/2023/05/08/Parallels-Desktop-Escape[.]html
- ZDI Advisories:
- hxxps://www[.]zerodayinitiative[.]com/advisories/ZDI-23-220/
- hxxps://www[.]zerodayinitiative[.]com/advisories/ZDI-23-215/
- PoC Repository: hxxps://github[.]com/kn32/parallels-plist-escape