all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Bash Privileged-Mode Vulnerabilities in Parallels Desktop and CDPATH Handling in MacOS

Add to bookmarks
April 6, 2023, 4:08 p.m. | Reno Robert

Zero Day Initiative - Blog www.zerodayinitiative.com

In the last few years, we have seen multiple vulnerabilities in Parallels Desktop leading to virtual machine escapes. Interested readers can check our previous blog posts about vulnerabilities across interfaces such as RDPMC hypercalls, the Parallels ToolGate, and the VGA virtual device. This post explores another set of issues we received last year - local privilege escalations through setuid root binaries.


Parallels Desktop has a couple of setuid binaries: prl_update_helper and Parallels Service. Both binaries run with …

bash blog blog post blog posts check desktop device handling local machine macos mode parallels privilege privileged privileges root run scripts service setuid vga virtual virtual machine vulnerabilities

Visit resource

More from www.zerodayinitiative.com / Zero Day Initiative - Blog

CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud 2 days, 16 hours ago | www.zerodayinitiative.com
abusing blog blog post bug +23
MindShaRE: Decapping Chips for Electromagnetic Fault Injection (EMFI) 1 week, 2 days ago | www.zerodayinitiative.com
attack automotive blog blog post +12
The May 2024 Security Update Review 2 weeks, 4 days ago | www.zerodayinitiative.com
adobe blog post can check +16
CVE-2024-21115: An Oracle VirtualBox LPE Used to Win Pwn2Own 3 weeks, 2 days ago | www.zerodayinitiative.com
april blog blog post bug +18
CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome 4 weeks, 2 days ago | www.zerodayinitiative.com
blog blog post browsers bug +20
CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability 1 month, 2 weeks ago | www.zerodayinitiative.com
amp blog post bug code +25
The April 2024 Security Updates Review 1 month, 3 weeks ago | www.zerodayinitiative.com
adobe april blog post can +12
Pwn2Own Vancouver 2024 - Day Two Results 2 months, 1 week ago | www.zerodayinitiative.com
blog post chrome edge event +10
Pwn2Own Vancouver 2024 - Day One Results 2 months, 1 week ago | www.zerodayinitiative.com
blog blog post browser day one +11

Jobs in InfoSec / Cybersecurity

Post a Job Search Talent

CyberSOC Technical Lead

@ Integrity360 | Sandyford, Dublin, Ireland
View on infosec-jobs.com

Cyber Security Strategy Consultant

@ Capco | New York City
View on infosec-jobs.com

Cyber Security Senior Consultant

@ Capco | Chicago, IL
View on infosec-jobs.com

Sr. Product Manager

@ MixMode | Remote, US
View on infosec-jobs.com

Security Compliance Strategist

@ Grab | Petaling Jaya, Malaysia
View on infosec-jobs.com

Cloud Security Architect, Lead

@ Booz Allen Hamilton | USA, VA, McLean (1500 Tysons McLean Dr)
View on infosec-jobs.com