Miniconda3 Local Privilege Escalation Vulnerability in macOS Installers

A local privilege escalation vulnerability has been identified in Miniconda3 macOS installers prior to version 23.11.0-1. When these installers are executed outside the user's home directory, they create world-writable files that are subsequently run with root privileges. This flaw enables a low-privileged user to inject arbitrary commands, potentially leading to unauthorized code execution as the root user.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with injected commands executed as the root user.

Reproduction

The vulnerability can be reproduced by installing Miniconda3 version 23.10.0-1 or earlier on macOS, outside of the user's home directory. During the installation, the package creates world-writable files that can be modified by low-privileged users. Once the files are injected with commands, they are executed with elevated permissions, resulting in privilege escalation.

Remediation

Users can upgrade to Miniconda3 version 23.11.0-1 or later, which addresses the vulnerability by applying secure permissions to the post-link files, preventing unauthorized modifications and code injection.