Pritunl Client Privilege Escalation Vulnerability on macOS

A local privilege escalation vulnerability has been identified in Pritunl Client versions prior to 1.3.4220.57 on macOS. The issue arises when an administrator uninstalls the application by dragging it to the trash, leaving the associated LaunchDaemon configuration intact. This allows the administrator to create a new file in the location of the removed 'pritunl-service' file, which will then be executed as root, thereby escalating privileges.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, with the potential to execute arbitrary commands or actions as the root user.

Reproduction

To reproduce this vulnerability, an administrator must first uninstall Pritunl Client by dragging the application to the trash. After the application is removed, the administrator can create a new file at the path where the 'pritunl-service' file was located. Once this file is created, it will be executed by a LaunchDaemon as the root user, leading to privilege escalation.

Remediation

Users can avoid this vulnerability by running the official macOS uninstall script provided by Pritunl. Additionally, Pritunl Client can be installed and uninstalled using Homebrew Cask, which properly cleans up the installation and removes the LaunchDaemon configuration.