Sparkle Framework Downloader XPC Service TCC Bypass Vulnerability

A vulnerability in the Sparkle framework's XPC service, Downloader.xpc, allows local unprivileged attackers to bypass TCC (Transparency, Consent, and Control) protections. By registering the XPC service globally, attackers can exploit the lack of validation on connecting clients to access TCC-protected files and copy them to arbitrary locations. This vulnerability affects all Sparkle versions prior to 2.7.2 and is particularly relevant for sandboxed applications that use the downloader service.

Impact

Exploitation of this vulnerability allows for unauthorized access to TCC-protected files, such as those in the user's Desktop, Documents, or Downloads directories.

Reproduction

To reproduce this vulnerability, an attacker must register the Downloader.xpc service globally. This can be done by manipulating the application's TCC permissions to gain access to protected files. Once the service is registered, the attacker can use it to download files from TCC-restricted areas to a location of their choice.

Remediation

Users can update to Sparkle version 2.7.2 or later, where this vulnerability has been fixed.