Dr.Buho BuhoNTFS Privilege Escalation Vulnerability in XPC Service

A local privilege escalation vulnerability has been identified in Dr.Buho's BuhoNTFS version 1.3.2 for macOS. The issue arises from an insecure XPC service that allows unprivileged users to gain root access by exploiting unauthenticated functions in the privileged helper tool 'com.drbuho.disktool.NTFSHelperTool'. This XPC service accepts connections from any local process, enabling the execution of arbitrary binaries as root, installation of kernel extensions, and access to sensitive system information.

Impact

Exploitation of this vulnerability allows local, unprivileged users to escalate privileges to root, with the potential to execute arbitrary binaries as root, install kernel extensions, and access sensitive system information.

Reproduction

To reproduce this vulnerability, establish a connection to the XPC service 'com.drbuho.disktool.NTFSHelperTool' without authentication. Once connected, use the method 'setFSExecPath:' to specify a malicious script located in the '/tmp' directory. After setting the execution path, trigger the execution by calling 'mountReadWriteNTFSVolumeWithMountPoint:bsdName:isKMount:completion:'. The malicious script will execute with root privileges, demonstrating the privilege escalation.