MacForge Privilege Escalation Vulnerability via Insecure XPC Service
Vulnerability
A local privilege escalation vulnerability has been identified in MacForge version 1.2.0 Beta 1 for macOS. The issue arises from an insecure XPC service that allows unprivileged users to gain root access. The vulnerability is linked to the XPC service 'com.macenhance.MacForge.Injector.mach', which exposes a method for arbitrary file copying to any location on the filesystem with root privileges, bypassing authentication or authorization checks. This exploit can be chained with the macOS 'newsyslog' utility to create a malicious 'sudoers' file, granting full, passwordless root access.
Impact
Exploitation of this vulnerability allows local users to escalate privileges to root, gaining unauthorized access to system resources and capabilities.
Reproduction
The vulnerability can be reproduced by compiling and executing a Proof of Concept (PoC) exploit written in Objective-C. This exploit uses the insecure XPC service to copy files to sensitive system locations, such as the 'sudoers' directory, thereby granting root privileges. The 'newsyslog' utility can be manually triggered to accelerate the privilege escalation process.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.