Release: VM Escape Exploit for Parallels Desktop Hypervisor (Pwn2Own 2021)

March 20th, 2024 – Alisa Esage

In April 2021 I participated in Pwn2Own Vancouvver competition as a single player, and successfully demonstrated a 0-day virtual machine escape exploit with code execution on Parallels hypervisor. Today I am finally releasing the exploit source code together with a technical walkthrough video talk that I gave on Zero Day Engineering livestream in November 2021.

Pwn, pwn!

Pwn2Own rocks!

Dragos Ruiu, Founder Pwn2Own

Abdul Aziz Hariri, Pwn2Own staff (formerly)

Fun fact: the exploit code was privately shared with attendees of my Zero Day Vulnerability Research training since June 2022, and a few of them gently pointed out to me (seemingly in disbelief) that the code was not published on my github. :) This hints at the state of security trainings today: apparently, sharing novel research-grade information - which is the quality standard that I set for my own vulnerability research trainings from day 1 - as opposed to selling repackaged publicly available content, is uncommon.

One of many raving reviews for my Zero Day VR training - thanks Kapil!

The specific Parallels hypervisor subsystem in which I found the vulnerability was since then publicly documented in community blogs, so I don't feel that it needs yet another technical writeup. Instead, I invite you to look at the code, and watch the technical walkthrough video, which covers the bug and the exploit through all the relevant aspects of my workflow, from attack surface modeling and reverse engineering, to vulnerability discovery and exploit development. And if you like hypervisors, I strongly recommend my Hypervisor Vulnerability Research course as the next step in your research journey. It is the most comprehensive and systematical source on hypervisor system internals and vulnerabilities knowledge today. Exploit source code Technical walkthrough video Slides

Research Training