关联漏洞
描述
VM Escape for Parallels Desktop <18.1.1
介绍
<a href="https://www.buymeacoffee.com/hackerden" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 41px !important;width: 174px !important;" ></a>
# Parallels Desktop VM Escape
This repository contains an exploit for a [Parallels Desktop](https://www.parallels.com/products/desktop/) vulnerability which has been assigned CVE-2023-27326. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop.
The exploit was tested on Parallels Desktop version 18.0.0 (53049), and the vulnerability was patched in the 18.1.1 (53328) [security update](https://kb.parallels.com/125013).
## Vulnerability Details
The specific flaw exists within the *Toolgate* component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user on the host system.
The full details of the vulnerability can be found in the accompanying [blog post](https://medium.com/@malwareman007/directory-traversal-arbitrary-file-write-vulnerability-a1d632472319).
## Credits
The vulnerability was discovered and exploited by Alexandre Adamski of [Impalabs](https://impalabs.com). The boiler plate code of the kernel module is taken from [RET2 Systems](https://ret2.io/)'s [Pwn2Own 2021 exploit](https://github.com/ret2/Pwn2Own-2021-Parallels/).
## POC
https://user-images.githubusercontent.com/86009160/236548403-0dac30c6-41fb-460b-a07b-8ebf56319dcc.mp4
文件快照
[4.0K] /data/pocs/0f4638e3722a80288648fea183a4c74fe3999907
├── [1.0K] LICENSE
├── [ 157] Makefile
├── [4.8K] prl_exp.c
├── [1.6K] README.md
└── [ 55] run.sh
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。