Canonical Multipass Privilege Escalation Vulnerability on macOS

A local privilege escalation vulnerability has been identified in Canonical Multipass versions through 1.15.1 on macOS. The issue arises from incorrect default permissions that allow a local attacker to modify files executed with administrative privileges by a Launch Daemon during system startup. This manipulation can lead to unauthorized actions being performed with root privileges.

Impact

Exploitation of this vulnerability allows for arbitrary actions to be performed as the root user.

Reproduction

Upon installing Multipass 1.15.1 on macOS, a LaunchDaemon is created with default permissions that allow the 'multipassd' binary to be owned by the local user instead of root. This misconfiguration can be exploited by replacing the 'multipassd' binary with a malicious script that, when executed by the LaunchDaemon after a system restart, performs actions as root, such as writing to a temporary file.

Remediation

Users can update to Multipass version 1.16.0, which addresses this vulnerability. If unable to update, the 'multipassd' binary can be manually changed to be owned by root.