Magnetism Studios Endurance Privilege Escalation Vulnerability via Unauthenticated XPC Interface

A local privilege escalation vulnerability has been identified in Magnetism Studios Endurance versions through 3.3.0 on macOS. The issue arises from a privileged helper tool that exposes an unauthenticated NSXPC interface, allowing any local user to invoke sensitive methods without authorization. The most critical method, 'loadModuleNamed:WithReply:', executes system utilities with attacker-controlled input, enabling unauthorized actions with root privileges. This vulnerability is particularly severe with System Integrity Protection (SIP) enabled, as it allows escalation to root. If SIP is disabled, the vulnerability can be exploited to execute arbitrary kernel code.

Impact

Exploitation of this vulnerability allows local, non-privileged users to gain root privileges. The 'loadModuleNamed:WithReply:' method can be abused to execute privileged commands or load kernel extensions, with potential for further escalation to kernel-level code execution, especially if SIP is disabled.

Reproduction

The vulnerability can be reproduced by creating a connection to the 'com.MagnetismStudios.endurance.helper' service using NSXPCConnection, without any authentication. Once connected, the 'loadModuleNamed:WithReply:' method can be called with a payload that, when executed, escalates privileges to root.