March 20th, 2024 – Alisa
In April 2021, I participated in the Pwn2Own Vancouver competition as an independent solo entrant and successfully demonstrated a zero-day virtual machine escape against the Parallels hypervisor.
This post documents the event, releases the exploit source code, and provides a full technical walkthrough video. But more importantly, it seals the historical record.
The vulnerability was located in the Shared Folders subsystem of Parallels Desktop hypervisor, and the resulting exploit chain achieved full guest-to-host escape—executing code on the host from within the guest VM.
It is true that a hypervisor-level escape represents a hard challenge, regardless of the vendor; all of my expertise and skills had to converge to make it happen, even if the exploit demonstration appears effortless. As such, it is rightfully recognized as a strong accomplishment beyond gender/identity context.
The exploit was executed remotely by Pwn2Own contest staff under controlled conditions, while I oversaw the launch via remote video link.
Live demonstration record of Alisa's exploit at Pwn2Own 2021
Archived public acknowledgment by Zero Day Initiative (ZDI)
Confirmation by Dragos Ruiu, Pwn2Own founder
Exploit executed by Abdul Aziz Hariri, Pwn2Own operations lead
• The exploit was fully functional and achieved its intended impact of executing my shellcode on the host MacOS system. • It worked by breaking hypervisor isolation to pivot from inside of an up-to-date Parallels virtual machine to the Parallels hypervisor process on the host. • The vulnerability which I used, while internally known to Parallels, was unpatched and undisclosed at the time of the contest. • The contest organizers applied the label “partial win”—not due to technical failure, but because of a rule which penalized exploits if the vendor was privately aware of the security issue.
Note: “Partial” was a policy artifact. The exploit was complete, as video shows.
The cybersecurity community responded with strong criticism of the rule in question. See article.
This event marked the first ever female participation in the 17-year history of Pwn2Own, and the first technically complete 0-day VM escape by a woman on record.
In the field where female technical presence remains a rarity and everybody is campaigning to "get more women into it", I came in and showed my work. Not to prove anything — but as a side effect of being myself. Not as an emerging trend — but as a presence in the void. That presence is now sealed into the timeline: visible, undeniable, and earned without compromise. And I am proud of establishing a clean historical precedent, as well as of my technical accomplishments that it stands upon.
I’m releasing the exploit source code here: Exploit source code
And the full technical walkthrough (recorded live on ZDE livestream) here: Technical walkthrough video
If you’re serious about hypervisors and want to go beyond this single bug, start with my pro training:
These are the most comprehensive, field-tested training programs available. Built from experience, as a system of entire field — and structured around my signature methods.
The myth goes: "A talented person is talented at everything". To reflect it in my native language of topological invariants while dodging the impact vector away from casual ego-patting to constructive inspiration; if you can breach a sealed system of code, you probably could breach sealed systems of society. I wasn't trying to be the first female in the field, I reclaim control over systems as a nature of sovereign existence. I found out that it causes social breach as a side-effect, and triggers defensive dynamics in the old structure. If I wanted to do it on purpose, now I know what it takes.