Parallels Desktop for Mac Directory Traversal Vulnerability in PVMP Package Unpacking

A directory traversal vulnerability has been identified in Parallels Desktop for Mac version 20.2.2 (55879). This vulnerability arises in the PVMP package unpacking process, where an attacker can manipulate file paths to write to arbitrary files. Such exploitation could lead to unauthorized privilege escalation, as the `prl_disp_service` managing the unpacking operates with root privileges.

Impact

Exploitation of this vulnerability allows a low-privilege user to overwrite arbitrary files and escalate privileges to that of a root user.

Reproduction

The vulnerability can be reproduced by using the `prl_packer_inplace` executable to create a `.pvmp` package file that includes directory traversal characters in the file paths. Once the package is transferred and unpacked using Parallels Desktop, the traversed file paths are resolved, leading to the overwriting of files, such as launch daemons, with potentially malicious content.

Remediation

Users are advised to update to the patched version of Parallels Desktop for Mac, which is available through the Parallels Desktop application or the Parallels website.