Parallels Desktop for Mac Privilege Escalation Vulnerability via Hard Link Exploitation

A privilege escalation vulnerability has been identified in Parallels Desktop for Mac, specifically in version 20.1.1 (55740). The issue arises in the virtual machine archive restoration process, where the 'prl_vmarchiver' tool decompresses archived files and writes them back to their original locations using root privileges. This behavior can be exploited by an attacker who creates a hard link to a file owned by root, effectively redirecting the restoration process to overwrite that file with malicious content. Such an exploitation could lead to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows a low-privilege user to overwrite arbitrary files and escalate privileges to that of the root user.

Reproduction

To reproduce this vulnerability, first choose a virtual machine and navigate to its directory. Create a hard link to a root-owned file, ensuring it has a '.hds', '.mem', or '.dmp' extension. Then, archive the virtual machine using the 'prlctl' command. After archiving, replace the archived VM files with ones containing an attacker's payload, such as a launch daemon plist file that executes a command when loaded. Finally, unarchive the VM, which will trigger the 'prl_vmarchiver' to run with root privileges, overwriting the hard link with the payload. Once the system is restarted, the payload will be executed, demonstrating the privilege escalation.

Remediation

Users can update to the latest version of Parallels Desktop for Mac, where this vulnerability has been addressed.