Two different exploits for an unpatched Parallels Desktop privilege elevation vulnerability have been publicly disclosed, allowing users to gain root access on impacted Mac devices. An attacker drops a fake macOS installer, waits for Parallels to verify the Apple-signed 'createinstallmedia' binary, and then quickly replaces it with a malicious script before execution, gaining root privileges. By manipulating the 'do_repack_manual' function, an attacker redirects a privileged folder using symlinks, tricks Parallels into writing attacker-controlled files to a root-owned path, and replaces 'p7z_tool,' which gets executed as root. The researcher warns that his first exploit, involving the TOCTOU attack, works on the latest version of Parallels, 20.2.1 (55876), and all versions from 19.4.0 and older. Parallels' original patch attempted to prevent untrusted code execution by verifying whether the 'createinstallmedia' tool is Apple-signed before granting it root privileges. The first is to perform a time-of-check to time-of-use (TOCTOU) attack to exploit a race condition between checking if 'createinstallmedia' is Apple-signed and executing it with root privileges. That flaw, first discovered in May 2024 by Mykola Grymalyuk, stemmed from a lack of code signature verification in Parallels Desktop for Mac. The researcher says the vendor promised to look into his report, but despite three subsequent requests for an update (the last one was on February 19, 2025), Parallels didn't respond. In conclusion, all known versions of Parallels Desktop, including the latest, are vulnerable to at least one exploit. Parallels Desktop is a virtualization software that allows Mac users to run Windows, Linux, and other operating systems alongside macOS. Parallels modified the repacking process in version 19.4.1, switching from 'do_repack_createinstallmedia' to 'do_repack_manual,' breaking the exploit. Security researcher Mickey Jin published the exploits last week, demonstrating a bypass of the vendor's fixes for CVE-2024-34331, a privilege elevation flaw fixed in September. "Given that the vendor has left this vulnerability unaddressed for over seven months—despite prior disclosure—I have chosen to publicly disclose this 0-day exploit," explains Jin in a technical writeup. However, this change introduced a new vulnerability that allows an attacker to overwrite arbitrary root-owned files, making the second exploit possible. The second exploit is an attack via the 'do_repack_manual' function that is vulnerable to arbitrary root-own file overwrites. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 24 Feb 2025 15:50:20 +0000