Laravel Valet Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Laravel Valet versions 1.1.4 prior to 2.0.3. This vulnerability allows users to modify the 'valet' command to execute arbitrary code with root privileges, bypassing any authentication requirements. The issue arises because the 'valet' command is symlinked to a user-writable location, and the sudoers configuration for Valet allows commands to be executed as root without a password.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the 'valet' command, enabling the execution of arbitrary code with root privileges on the system.

Reproduction

The vulnerability can be reproduced by first ensuring that Laravel Valet is installed and running on macOS. After confirming the installation, the 'valet' command can be found in the user's local bin directory. Once the command is located, it can be verified that the current version is within the vulnerable range. If the command is writable, a proof-of-concept can be created by inserting a command to spawn a root shell. After executing the modified 'valet' command with sudo, the shell will be elevated to root.