Release: VM Escape Exploit for Parallels Desktop Hypervisor (Pwn2Own 2021)

March 20th, 2024 – Alisa Esage

In April 2021 I participated in Pwn2Own Vancouver competition as an independent solo player, and successfully demonstrated a 0-day virtual machine escape exploit with code execution on Parallels hypervisor. Today I am finally releasing the exploit source code together with a technical walkthrough video talk that I gave on Zero Day Engineering livestream in November 2021.

Organizer's reactions

✅

Dragos Ruiu, Founder Pwn2Own

Abdul Aziz Hariri, Pwn2Own staff at that time

The specific Parallels hypervisor subsystem in which I found the vulnerability was since then publicly documented in community blogs, so I don't feel that it needs yet another technical writeup. Instead, I invite you to look at the code, and watch the technical walkthrough video, which covers the bug and the exploit through all the relevant aspects of my workflow, from attack surface modeling and reverse engineering, to vulnerability discovery and exploit development. And if you like hypervisors, I strongly recommend my Hypervisor Vulnerability Research course as the next step in your research journey, as well as the follow-up course Advanced Hypervisor Exploit Development. My training courses are the best systematic source of knowledge on specialized system internals and vulnerability exploitation ever, that will save you many months of reverse engineering and sifting through blogs while learning to pwn. It should be noted that my exploit entry was formally named a "partial win" only because the security bug that I exploited was said to be internally known to the Parallels staff. However, the bug remained unpatched in the Parallels hypervisor and wasn't publicly disclosed on the day of the contest. My exploit thus demonstrated a fully successful 0-day virtual machine escape, as the video record shows. As such, the "partial win" naming does not represent any technical issues with the attack, but rather, it is due to an old policy quirk in the contest rules. This quirk is generally not considered fair by the cybersecurity community, which expressed a massive disapproval of the rule that allowed the organizers to label my win as "partial". I hope that the organizers will consider updating the rules in the future to reflect the current state of the industry, where private bugs are a norm, and the exploit quality is the only thing that matters. As the first female participant in the 17-year history (as of 2024) of Pwn2Own competition, I am proud to break this historical record, and establish a blueprint for more women to follow. Gender diversity remains largely a theoretical concept in the upper tiers of cybersecurity industry, and while more women occupy management roles these days, top technical tiers of the industry are still overwhelmingly male-dominated. Despite rumors in the press, I did receive my cash prize for the exploit, and I am grateful to the organizers for the opportunity to participate in the competition, and to the cybersecurity community for their support. With that being said, on to the technical part, and happy hacking! Exploit source code Technical walkthrough video Slides Updated (23-08-2024): Add remarks about "partial win" and gender diversity