{"id":2174,"date":"2025-02-24T10:06:35","date_gmt":"2025-02-24T10:06:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/24\/parallels-desktop-0-day-vulnerability-gain-root-privileges-poc-released\/"},"modified":"2025-02-24T10:06:35","modified_gmt":"2025-02-24T10:06:35","slug":"parallels-desktop-0-day-vulnerability-gain-root-privileges-poc-released","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/24\/parallels-desktop-0-day-vulnerability-gain-root-privileges-poc-released\/","title":{"rendered":"Parallels Desktop 0-Day Vulnerability Gain Root Privileges \u2013 PoC Released"},"content":{"rendered":"<p>    Parallels Desktop 0-Day Vulnerability Gain Root Privileges \u2013 PoC Released<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical <a href=\"https:\/\/cybersecuritynews.com\/pan-os-vulnerability-web-interface-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">0-day vulnerability<\/a> in Parallels Desktop virtualization software has been publicly disclosed, enabling local attackers to escalate privileges to root-level access on macOS systems.\u00a0<\/p>\n<p>All versions of Parallels Desktop, including the most recent 20.2.1 (55876), are vulnerable to the flaw identified as CVE-2024-34331, which results from insufficient security controls in the application\u2019s macOS installer repackaging subsystem.<\/p>\n<p>Security researcher Mickey Jin (@patch1t) released proof-of-concept (PoC) exploits demonstrating two distinct bypass methods for CVE-2024-34331, a previously patched privilege escalation flaw.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>Parallels Desktop 0-Day Vulnerability<\/strong><\/h2>\n<p>The vulnerability resides in Parallels Desktop\u2019s repack_osx_install_app.sh script, which handles <a href=\"https:\/\/cybersecuritynews.com\/new-web-inject-attack-campaigns-targeting-macos-users\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS<\/a> installer repackaging operations with root privileges via the prl_disp_service daemon.\u00a0<\/p>\n<p>The original CVE-2024-34331 patch introduced Apple code signature verification for the createinstallmedia binary using the codesign -v -R=\u201danchor apple\u201d command.\u00a0<\/p>\n<p>However, researchers identified two critical bypass mechanisms:<\/p>\n<h2 class=\"wp-block-heading\"><strong>Time-of-Check to Time-of-Use (TOCTOU) Exploitation:<\/strong><\/h2>\n<p>Attackers can replace the legitimate createinstallmedia binary with a <a href=\"https:\/\/cybersecuritynews.com\/earth-preta-abuse-microsoft-application-virtualization-injector\/\" target=\"_blank\" rel=\"noreferrer noopener\">malicious payload<\/a> during the narrow window between signature verification and execution.\u00a0<\/p>\n<p>Jin\u2019s first PoC (exploit1.sh) demonstrates this by creating a fake macOS installer bundle with \/bin\/ls masquerading as createinstallmedia, and triggering Parallels\u2019 repackaging workflow.<\/p>\n<p>Further, swapping the binary with a payload script during temporary directory creation,<\/p>\n<p>The payload executes with root privileges via the SUID-enabled prl_disp_service, enabling commands like touch \/Library\/lpe to create persistence mechanisms.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Weak Signature Enforcement via DYLIB Injection<\/strong><\/h2>\n<p>The \u201canchor apple\u201d requirement allows any Apple-signed binary (e.g., \/bin\/ls) to pass verification.\u00a0<\/p>\n<p>Attackers can inject malicious dynamic libraries (DYLIBs) into these binaries using environment variable manipulation or DYLD_INSERT_LIBRARIES techniques.\u00a0<\/p>\n<p>This bypass leverages <a href=\"https:\/\/cybersecuritynews.com\/new-web-inject-attack-campaigns-targeting-macos-users\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS\u2019s code<\/a> signing design to subvert Parallels\u2019 security checks while maintaining legitimate Apple signatures.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Evolution of Exploit Techniques<\/strong><\/h2>\n<p>Parallels attempted to mitigate these issues in version 19.4.1 by switching to a do_repack_manual function that uses 7z compression for installer creation.\u00a0<\/p>\n<p>However, Jin identified a path traversal vulnerability in the function\u2019s handling of the CFBundleDisplayName parameter.\u00a0<\/p>\n<p>By setting this value to ..\/..\/..\/..\/..\/..\/tmp\/lnk\/result, attackers could:<\/p>\n<ul class=\"wp-block-list\">\n<li>Create symbolic links redirecting root-owned directories<\/li>\n<li>Replace the 7z binary with a malicious payload during temporary file operations<\/li>\n<li>Trigger execution via Parallels\u2019 privileged services.<\/li>\n<\/ul>\n<p>The vendor later reverted to the vulnerable do_repack_createinstallmedia method in version 20.2.1, reactivating the original exploit vectors.\u00a0<\/p>\n<p>A video demonstration shows successful privilege escalation on updated systems.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-4-3 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"youtube-embed\" data-video_id=\"j91H7shqsBE\"><iframe loading=\"lazy\" title=\"Parallels Desktop 0 day - do_repack_createinstallmedia root privilege escalation\" width=\"696\" height=\"522\" src=\"https:\/\/www.youtube.com\/embed\/j91H7shqsBE?feature=oembed&amp;enablejsapi=1\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\"><strong>Impact and Mitigation<\/strong><\/h2>\n<p>All Intel-based <a href=\"https:\/\/cybersecuritynews.com\/sysbumps\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS systems<\/a> running Parallels Desktop 16.0.0 through 20.2.1 are vulnerable.\u00a0<\/p>\n<p>Apple Silicon devices remain unaffected due to differences in virtualization frameworks. Successful exploitation enables:<\/p>\n<ul class=\"wp-block-list\">\n<li>Persistent root access via arbitrary file creation<\/li>\n<li>Bypass of macOS Transparency, Consent, and Control (TCC) protections<\/li>\n<li>Virtual machine escape in multi-user environments<\/li>\n<\/ul>\n<p>Mitigation requires immediate removal of SUID permissions from Parallels tools, network segmentation of Parallels <a href=\"https:\/\/cybersecuritynews.com\/windows-rd-gateway-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">Desktop systems<\/a> and monitoring for unauthorized \/Library\/lpe file creation.<\/p>\n<p>This 0-day disclosure highlights critical failures in Parallels\u2019 vulnerability management processes and third-party coordination through ZDI.\u00a0 With working PoCs available, organizations must assume active exploitation is imminent.\u00a0<\/p>\n<p>Until Parallels <a href=\"https:\/\/jhftss.github.io\/Parallels-0-day\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">releases<\/a> an official patch, system administrators should weigh the operational necessity of Parallels Desktop against potential security risks in enterprise environments.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 85%,rgb(169,184,195) 100%)\"><strong>Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting \u2013\u00a0<a href=\"https:\/\/anyrun.webinargeek.com\/better-soc-with-interactive-malware-sandbox-practical-use-cases?cst=linkedin_csn\" target=\"_blank\" rel=\"noreferrer noopener\">Register Here<\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/parallels-desktop-0-day-vulnerability\/\">Parallels Desktop 0-Day Vulnerability Gain Root Privileges \u2013 PoC Released<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/parallels-desktop-0-day-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Parallels Desktop 0-Day Vulnerability Gain Root Privileges \u2013 PoC Released A critical 0-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed, enabling local attackers to escalate privileges to root-level access on macOS systems.\u00a0 All versions of Parallels Desktop, including the most recent 20.2.1 (55876), are vulnerable to the flaw identified as CVE-2024-34331, which [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131],"tags":[130],"class_list":["post-2174","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2174"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2174"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2174\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}