Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Parallels Desktop allows for virtual desktops and applications to any device. It acts as a virtual machine that is isolated from the host. This article targets the Hypervisor of Parallel Desktop. Because the hypervisor is accessible by any user, this looked like a juicy target.

This research took a bunch of reversing in order to get the actual image for the hypervisor. The content was a zlib-compressed binary that skips the first 12 bytes. Additionally, only some symbols were left in the code.

The vulnerabilities exist in the hypercall functionality. This interface is for Read Performance-Monitoring Counter (RDPMC) for communication between guest and host. The first vulnerability is a heap overflow because of a user provided size in a statically heap buffer. The overflow occurs in the UEFI name variable.

The other bug is a time of time vs. time of use (TOCTOU) bug that resulted in an out of bounds read. The data size of a UEFI request is written to shared memory before validation. After writing, the size is validated but then refetched after this validation. By allowing for the validation to happen this editing this value, an OOB read occurs.

In order to exploit the race condition the author used a flipping strategy. On one thread, set the variable to be a larger size than what should be allowed for the request. In the other, set the status to 0 by making a call to some function. Eventually, this flipping strategy will trigger the OOB read.

Interesting bugs in a lesser known interface. Bugs tend to be in the obscure places.