Summary
The VM manager acts as a frontend to qemu and the Apple Virtualization Framework.
Severity
Low - Could result in a file download or VM management without sufficient user consent.
Proof of Concept
The UTM URI handling scheme does not ask for confirmation before performing any actions, including downloading or starting a VM. Starting VMs is done using the name only, which an attacker can control if they cause a victim to download a VM image provided by the attacker.
For example, the URI utm://downloadVM?url=https%3A%2F%2Fexample.com%2FVM.zip
would cause UTM to download and unpack a ZIP file located at https://example.com/VM.zip
into its VM storage directory, assuming it had the correct file structure for a UTM VM. This download happens without confirmation from the UTM application, regardless of the URI. An example legitimate use of this command can be found at the UTM template gallery, where each entry has a link using this scheme to trigger a download of the VM template. When loaded in modern versions of Chrome, the browser itself will trigger a warning asking permission to send the URI to UTM, but the warning is generic and does not sufficiently allow the user to understand what will happen if they allow it.
VMs can also be started through this URI scheme. For example, the URI utm://start?name=example
would start a VM named example
. This again has no user confirmation from UTM itself, and would rely on the browser to adequately warn the user before triggering the start action.
- Install UTM (
brew install --cask utm@4.4.5
).
- Paste the following URL into Chrome:
utm://downloadVM?url=https://github.com/utmapp/vm-downloads/releases/download/archlinux-arm64/archlinux-arm64-utm4.zip
.
- Chrome will ask for permission to open UTM, but UTM itself will not ask for confirmation before downloading the VM.
- Once the VM is downloaded, paste the following URL into Chrome:
utm://start?name=ArchLinux
- Chrome will ask for permission to open UTM, but UTM itself will not ask for confirmation before starting the VM.
- The VM will start.
This PoC uses safe VMs provided by the UTM developers, but there is no restriction on the source or contents of the VM that will be downloaded and started.
Further Analysis
Desired behavior should include:
- Require confirmation from the user that a given download should start. Allowlisting of specific URI prefixes (such as the UTM Github project) may be acceptable, but care should be taken to avoid allowing too broadly: for example, allowing
https://github.com/utmapp/vm-downloads/*
would allow an attacker to fork the repo and use an attack similar to impostor commits to bypass the check. Restricting the allowlist to https://github.com/utmapp/vm-downloads/releases/download/*
would likely be safe.
- Require confirmation for other control actions such as VM start. Allowing the user to allowlist direct control of specific VMs may be acceptable, but in practice users should be encouraged to use
utmctl
instead, which does not have the same security implications (as any attacker that can interact with it could presumably already run arbitrary shell commands).
Timeline
Date reported: 01/05/2024
Date fixed: Fixed in version 4.5.1
Date disclosed: 04/05/2024
Summary
The VM manager acts as a frontend to qemu and the Apple Virtualization Framework.
Severity
Low - Could result in a file download or VM management without sufficient user consent.
Proof of Concept
The UTM URI handling scheme does not ask for confirmation before performing any actions, including downloading or starting a VM. Starting VMs is done using the name only, which an attacker can control if they cause a victim to download a VM image provided by the attacker.
For example, the URI
utm://downloadVM?url=https%3A%2F%2Fexample.com%2FVM.zip
would cause UTM to download and unpack a ZIP file located athttps://example.com/VM.zip
into its VM storage directory, assuming it had the correct file structure for a UTM VM. This download happens without confirmation from the UTM application, regardless of the URI. An example legitimate use of this command can be found at the UTM template gallery, where each entry has a link using this scheme to trigger a download of the VM template. When loaded in modern versions of Chrome, the browser itself will trigger a warning asking permission to send the URI to UTM, but the warning is generic and does not sufficiently allow the user to understand what will happen if they allow it.VMs can also be started through this URI scheme. For example, the URI
utm://start?name=example
would start a VM namedexample
. This again has no user confirmation from UTM itself, and would rely on the browser to adequately warn the user before triggering the start action.brew install --cask utm@4.4.5
).utm://downloadVM?url=https://github.com/utmapp/vm-downloads/releases/download/archlinux-arm64/archlinux-arm64-utm4.zip
.utm://start?name=ArchLinux
This PoC uses safe VMs provided by the UTM developers, but there is no restriction on the source or contents of the VM that will be downloaded and started.
Further Analysis
Desired behavior should include:
https://github.com/utmapp/vm-downloads/*
would allow an attacker to fork the repo and use an attack similar to impostor commits to bypass the check. Restricting the allowlist tohttps://github.com/utmapp/vm-downloads/releases/download/*
would likely be safe.utmctl
instead, which does not have the same security implications (as any attacker that can interact with it could presumably already run arbitrary shell commands).Timeline
Date reported: 01/05/2024
Date fixed: Fixed in version 4.5.1
Date disclosed: 04/05/2024