ws.stash.app.mac.daemon.helper Privilege Escalation Vulnerability Allowing Unauthorized Changes to Network Preferences

A vulnerability in the ws.stash.app.mac.daemon.helper tool has been identified, stemming from a misapplication of macOS's authorization model. The helper improperly validates the client's authorization reference, instead using its own privileged context (root) to authorize itself. This flaw allows unprivileged clients to perform privileged operations via XPC, such as making unauthorized changes to system-wide network preferences, including SOCKS, HTTP, and HTTPS proxy settings. Additionally, the lack of proper code-signing checks enables arbitrary processes to exploit this vulnerability, potentially leading to man-in-the-middle attacks by redirecting traffic.

Impact

Exploitation of this vulnerability could allow unprivileged clients to invoke privileged operations, unauthorized changes to system-wide network preferences, and facilitate man-in-the-middle attacks through traffic redirection.