Parallels Desktop for Mac Privilege Escalation Vulnerability via Snapshot Symlink Ownership Manipulation

A privilege escalation vulnerability has been identified in Parallels Desktop for Mac, specifically in version 20.1.1 (build 55740). The issue arises in the Snapshot feature, where a root service, `prl_disp_service`, manages the deletion of snapshot files. When a snapshot is removed, the service verifies and adjusts the ownership of the associated files. An attacker can exploit this process by creating a symlink that redirects to a root-owned directory, thereby manipulating the ownership of files to a lower-privilege user. This unauthorized ownership change could be leveraged for privilege escalation.

Impact

Exploitation of this vulnerability allows a lower-privilege user to gain ownership of files or directories originally owned by root. This unauthorized access can be used to modify or delete critical files, potentially influencing root services and leading to elevated privileges.

Reproduction

To reproduce this vulnerability, first take a snapshot of a virtual machine, which will create a `Snapshots` directory with several files. Next, delete or move the `Snapshots` directory and replace it with a symlink to a root-owned directory, such as the `MacOS` directory within the Parallels VM application package. After creating the symlink, open the Parallels Desktop Control Center, manage the snapshots for the virtual machine, and delete the snapshot. Although the deletion will fail, the `prl_disp_service` will follow the symlink and change the ownership of the files in the linked directory to the lower-privilege user.

Remediation

Users can update to the latest version of Parallels Desktop for Mac, where this vulnerability has been addressed.