Ice Security researcher Mickey Jin discovered 0-day root privileges in Parallels Desktop

The vulnerability bypasses the previous patch for CVE-2024-34331, and since Parallels has not released a patch for over seven months, the researcher has published a proof of concept (PoC).

The vulnerability is contained in repack_osx_install_app.sh, a script used to repackage macOS installers. Jin discovered two ways to bypass Apple’s signature verification, allowing root code execution. The researcher provided two exploits for the vulnerability:

1. A TOCTOU attack allows the creationinstallmedia to be overridden and any commands to be executed with root privileges.

2. An abuse of do_repack_manual in Parallels 19.4.1 to remap the macOS installation path, allowing root access and code execution.

Mickey Jin reported the issue on May 31, 2024 via the Zero Day Initiative (ZDI), but the team was unable to reproduce the exploit on the latest version. A follow-up report to Parallels on July 22, 2024 also yielded no results—the developers ignored the requests.

Frustrated by the lack of response, Jin stated:

> “Since Parallels is playing dumb, I am forced to publish a 0-day exploit.”

Parallels‘ refusal to address the issue poses a critical risk to macOS users. Cybersecurity researchers are calling for an immediate patch release, as the PoC has already been published and the threat is real.