Parallel

A critical susceptibility to Zero-Day in parallel desktop virtualization software was publicly disclosed after seven months of unsolved reporting, so that the attackers can escalate the authorizations on MacOS systems to the root level.

The exploit code of Proof-of-Concept (POC) shows two different bypass methods that deal with existing patches for CVE-2024-34331, a previously mentioned authorization error.

Technical overview of vulnerability

Dealing with parallel desktop patch -patch -check

The patched CVE-2024-34331 weaknesses included an inappropriate signature check of the Createinstallmedia tool, which was used during the repackaging of MacOS installation products.

In parallel 'first correction required, the binary files signed by apple are required for the escalation of privileges. However, the newly opened bypasses use weaknesses in this verification logic:

1. Tectou (checking time for the time) race condition
Attackers replace the verified creatine installation media with a malicious payload during the short interval between the signature validation and the execution.

The following exploit script shows this technology:

#!/bin/sh

# [...] payload creation

defaults write /tmp/poc.app/Contents/Info.plist CFBundleDisplayName createinstallmedia

open /tmp/poc.app -a /Applications/Parallels\ Desktop.app

# [...] directory monitoring loop replaces binary post-validation

mv /tmp/payload /tmp/poc.app/Contents/Resources/createinstallmedia

2. Weak signature request exploit
The signature test uses the excessively permissible anchor apples rule, so that all apple-signed binary (e.g. /bin /ls) can pass the check.

Injectors inject malicious code via dynamic library (dylib), which are kidnapped in legitimate Apple binary files.

Development of the vulnerability chain

Post-Patch-bypass in version 19.4.1

In version 19.4.1, a new Do_Repack_Manual function introduced in version 19.4.1 to process the installation program via 7Z compression:

do_repack_manual() {

    # [...] path manipulation vulnerability

    local result_vol_name="$(defaults read "$source_app"/Contents/Info CFBundleDisplayName)"

    temp_result_dir="$temp_dir"/"$result_vol_name"

    mkdir "$temp_result_dir"

    # [...] attacker-controlled path leads to arbitrary code execution

    cp -R "$source_app" "$temp_result_dir"

}

Interfeiters use the path that value value of CFBUNDELEDISPLASPLAYNAME -NAME value for overwriting the 7Z nation services used by parallels, as shown in the second exploit script:

defaults write /tmp/poc.app/Contents/Info.plist CFBundleDisplayName ../../../../../../tmp/lnk/result

# [...] symlink manipulation redirects root-owned directories

ln -s /tmp/redirect /tmp/lnk

ln -sfn /tmp/dst /tmp/lnk

Unresolved provider reaction time bar

The researcher reported the Bypass on Zero Day Initiative (ZDI) on May 31, 2024, but received a delayed confirmation due to problems with the version of versions.

Despite the parallels published by incremental updates, the risk of core authorization with the following critical effects is not taken into account:

• Full of root access via trivial path manipulation
• Silent code version bypasses MacOS transparency mechanisms
• Weapon potential for supply chain attacks on MacOS virtualization users attacked

Recommendations

Until parallels spends an official patch, users should:

1. Limit parallel desktop privilege:
   Deactivate the automatic version via PRL_DISP_Service using MacOS data protection controls under System Settings> Safety> Automation.
2. Audit ISO/DMG sources:
   Only process installation programs from verified Apple distribution channels.
3. Monitoring of file system activity:
   Implement the endpoint detection for unexpected writing processes on / library / or changes to parallels' resource directory.

This disclosure underlines the persistent risks in privileged virtualization services and the critical need for robust signature validation frameworks.

Users and companies that rely on parallel unit for the MacOS virtualization should treat this as an active threat until the providers publish comprehensive corrections.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here