Two vulnerabilities in Parallels Desktop, a plist injection and a Time-of-Check Time-of-Use (TOCTOU) race.

Vuln 1: XML injection in Shared Applications The first vuln has to do with Parallel’s support for “Shared Applications”, which allows you to have a guest application displayed on the host’s mac dock or launchpad and similarly be able to launch the application in the guest this way. To facilitate this, parallels will monitor the guest and send (untrusted) toolgate requests to the host, which a driver then processes to create “helper apps”. Various fields from the request end up stored in the XML property list (plist). While most fields were sanitized against XML injection, the URL scheme and file extensions weren’t. This allows you to break out of the XML and inject arbitrary properties, including LSEnvironment for defining environment variables for app launches. By setting the DYLD_INSERT_LIBRARIES to a directory with attacker-controlled files, code execution can be achieved.

Vuln 2: TOCTOU in Shared Folders While the first vuln can achieve code execution, it’s tricky to exploit on its own as you need to be able to write some malicious file on the host to be read as a dynamic library. This is where the second vuln comes in via Shared Folders, which allows the guest to send instructions to the host to perform operations on the filesystem in a given shared directory. While it tries to ensure accesses from the guest are contained to the shared folder, it has the classic issue of TOCTOU when handling symlinks. By racing the check, you can get an arbitrary file write outside the shared folder and chain with the first bug for code execution on the host.