AirVPN Eddie Privilege Escalation Vulnerability on macOS

A local privilege escalation vulnerability has been identified in AirVPN Eddie version 2.24.6 for macOS. This vulnerability allows unprivileged users to escalate their privileges to root by exploiting an insecure XPC service. The issue arises from a command chain in the privileged helper tool 'eddie-cli-elevated', specifically through 'shortcut-cli' and 'openvpn' commands, which can be combined to execute arbitrary code as root without user interaction. The vulnerability is exploitable when the 'Don't ask elevation every run' option is enabled in Eddie VPN settings, creating a persistent LaunchDaemon that increases the attack surface by keeping the vulnerable service accessible even when the VPN application is not in use.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing local users to execute arbitrary code with root privileges.

Reproduction

The vulnerability can be reproduced by enabling the 'Don't ask elevation every run' option in Eddie VPN settings. This installs a LaunchDaemon that runs the privileged helper tool 'eddie-cli-elevated' persistently. Once this is set, the 'shortcut-cli' command can be used to create a malicious wrapper script at '/usr/local/bin/eddie-cli' with root ownership and 0755 permissions. The 'openvpn' command will then execute this wrapper as root, allowing the malicious code to run with elevated privileges.