A critical zero-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed after seven months of unresolved reporting, enabling attackers to escalate privileges to the root level on macOS systems.
The proof-of-concept (PoC) exploit code demonstrates two distinct bypass methods that circumvent existing patches for CVE-2024-34331, a previously addressed privilege escalation flaw.
Bypassing Parallels Desktop Patch Verification
The patched CVE-2024-34331 vulnerability involved improper signature verification of the createinstallmedia tool used during macOS installer repackaging.
Parallels’ initial fix required Apple-signed binaries for privilege escalation. However, the newly disclosed bypasses exploit weaknesses in this verification logic:
1. TOCTOU (Time-of-Check to Time-of-Use) Race Condition
Attackers replace the verified createinstallmedia binary with a malicious payload during the brief interval between signature validation and execution.
The exploit script below demonstrates this technique:
#!/bin/sh
# [...] payload creation
defaults write /tmp/poc.app/Contents/Info.plist CFBundleDisplayName createinstallmedia
open /tmp/poc.app -a /Applications/Parallels\ Desktop.app
# [...] directory monitoring loop replaces binary post-validation
mv /tmp/payload /tmp/poc.app/Contents/Resources/createinstallmedia2. Weak Signature Requirement Exploit
The signature check uses the overly permissive anchor apple rule, allowing any Apple-signed binary (e.g., /bin/ls) to pass verification.
Attackers inject malicious code via dynamic library (DYLIB) hijacking into legitimate Apple binaries.
Post-Patch Bypass in Version 19.4.1
Parallels introduced a new do_repack_manual function in version 19.4.1 to handle installer repackaging via 7z compression:
do_repack_manual() {
# [...] path manipulation vulnerability
local result_vol_name="$(defaults read "$source_app"/Contents/Info CFBundleDisplayName)"
temp_result_dir="$temp_dir"/"$result_vol_name"
mkdir "$temp_result_dir"
# [...] attacker-controlled path leads to arbitrary code execution
cp -R "$source_app" "$temp_result_dir"
}Attackers exploit path traversal in the CFBundleDisplayName value to overwrite the 7z binary used by Parallels, as shown in the second exploit script:
defaults write /tmp/poc.app/Contents/Info.plist CFBundleDisplayName ../../../../../../tmp/lnk/result
# [...] symlink manipulation redirects root-owned directories
ln -s /tmp/redirect /tmp/lnk
ln -sfn /tmp/dst /tmp/lnkUnresolved Vendor Response Timeline
The researcher reported the bypass to Zero Day Initiative (ZDI) on May 31, 2024, but received delayed confirmation due to version discrepancy issues.
Despite Parallels releasing incremental updates, the core privilege escalation risk remains unaddressed, with the following critical impacts:
Until Parallels issues an official patch, users should:
This disclosure underscores the persistent risks in privileged virtualization services and the critical need for robust signature validation frameworks.
Users and enterprises relying on Parallels Desktop for macOS virtualization should treat this as an active threat until vendors release comprehensive fixes.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…
Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…
Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…
Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…
The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…
Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…