Exelban Stats Command Injection Vulnerability in XPC Service
Vulnerability
A critical command injection vulnerability has been identified in Exelban Stats versions prior to 2.11.22. The issue resides in the XPC service, specifically within the 'shouldAcceptNewConnection' function, which lacks proper validation, allowing unauthorized clients to connect and execute arbitrary commands with root privileges. This vulnerability could lead to unauthorized access and manipulation of system functions.
Impact
Exploitation of this vulnerability allows for local privilege escalation, enabling unauthorized users to execute commands as the root user, potentially leading to full system control.
Reproduction
The vulnerability can be reproduced by creating a custom XPC client that connects to the vulnerable XPC service 'eu.exelban.Stats.SMC.Helper'. Once connected, the client can invoke the 'powermetrics' method, injecting command payloads that are executed with root privileges. This exploitation chain can be automated with a proof-of-concept that demonstrates the injection of a reverse shell command, resulting in a root shell on the system.
Remediation
Users are advised to upgrade to Exelban Stats version 2.11.22 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.