Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27327 PoC — Corel Parallels Desktop 安全漏洞

Source
https://github.com/kn32/parallels-plist-escape
Associated Vulnerability
Title:Corel Parallels Desktop 安全漏洞 (CVE-2023-27327)
Description:Corel Parallels Desktop是加拿大科亿尔数码科技(Corel)公司的一套适用于macOS平台的虚拟机软件。 Corel Parallels Desktop Service存在安全漏洞,该漏洞源于Toolgate组件中存在本地权限升级漏洞。
Description
Exploits for CVE-2023-27327 and CVE-2023-27328
Readme
# parallels-plist-escape

This repository contains exploits for CVE-2023-27327 and CVE-2023-27328, which can be used together to escape a Parallels Desktop virtual machine, prior to Parallels Desktop 18.1.1. 

It also contains code for a required kernel module, in `prl_mod`, which can be used to send arbitrary Toolgate requests (< opcode 0x8000) from userland, using a proc entry created at `/proc/driver/prl_tg_pwn`.

### Requirements
- Root in the guest so you can load the kernel module
- Parallels Tools installed - this is not strictly required if we have root in the guest, but the code here assumes it's present
- At least one share mounted into the VM, it doesn't matter where this is on the host

### Running the exploit
Build and load the kernel module:
```bash
cd prl_mod
make -f Makefile.kmods
sudo insmod ./prl_tg_pwn/Toolgate/Guest/Linux/prl_tg/prl_tg_pwn.ko
```

Run the exploit:
```bash
cd ..
pip install -r requirements.txt
./3_full_chain.py
```
File Snapshot

 [4.0K]  /data/pocs/db273ecdcc66762b8a0f5d5ef88a1fa2029e0a57
├── [4.3K]  1_write_file.py
├── [2.8K]  2_plist_injection.py
├── [ 151]  3_full_chain.py
├── [4.0K]  prl_mod
│   ├── [2.0K]  Makefile.kmods
│   ├── [4.0K]  prl_tg
│   │   └── [4.0K]  Toolgate
│   │       ├── [4.0K]  Guest
│   │       │   ├── [4.0K]  Interfaces
│   │       │   │   └── [1.0K]  tgreq.h
│   │       │   └── [4.0K]  Linux
│   │       │       ├── [4.0K]  Interfaces
│   │       │       │   ├── [ 465]  prltg_call.h
│   │       │       │   └── [3.0K]  prltg.h
│   │       │       └── [4.0K]  prl_tg
│   │       │           ├── [1.5K]  Makefile
│   │       │           ├── [ 16K]  prltg.c
│   │       │           ├── [ 13K]  prltg_call.c
│   │       │           ├── [5.5K]  prltg_common.h
│   │       │           ├── [3.2K]  prltg_compat.h
│   │       │           └── [ 951]  tg_test.c
│   │       └── [4.0K]  Interfaces
│   │           ├── [ 15K]  Tg.h
│   │           └── [ 179]  VSockPorts.h
│   └── [4.0K]  prl_tg_pwn
│       └── [4.0K]  Toolgate
│           ├── [4.0K]  Guest
│           │   ├── [4.0K]  Interfaces
│           │   │   └── [1.0K]  tgreq.h
│           │   └── [4.0K]  Linux
│           │       ├── [4.0K]  Interfaces
│           │       │   ├── [ 465]  prltg_call.h
│           │       │   └── [3.0K]  prltg.h
│           │       └── [4.0K]  prl_tg
│           │           ├── [1.4K]  Makefile
│           │           ├── [4.5K]  prltg.c
│           │           ├── [5.5K]  prltg_common.h
│           │           ├── [3.2K]  prltg_compat.h
│           │           └── [ 951]  tg_test.c
│           └── [4.0K]  Interfaces
│               ├── [ 15K]  Tg.h
│               └── [ 179]  VSockPorts.h
├── [ 32K]  pwn.dylib
├── [ 965]  README.md
├── [  15]  requirements.txt
├── [ 27K]  smile.png
└── [4.0K]  toolgate
    ├── [1.9K]  client.py
    ├── [9.6K]  constants.py
    ├── [  71]  __init__.py
    └── [2.1K]  structs.py

18 directories, 33 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.