Pearcleaner Privileged Helper Unauthenticated XPC Service Access Vulnerability Allowing Local Privilege Escalation

A vulnerability exists in the Pearcleaner application for macOS, specifically in versions 4.4.0 through 4.5.1. The issue arises from the PearcleanerHelper, a privileged tool that runs with root access after user approval. The helper registers an XPC service that accepts unauthenticated connections from any local process, allowing unprivileged users to execute arbitrary commands as root. This vulnerability takes advantage of the helper's lack of proper validation for incoming connections, enabling local privilege escalation.

Impact

Exploitation of this vulnerability allows local unprivileged users to gain root privileges by sending crafted requests to the PearcleanerHelper's XPC service, executing arbitrary commands with elevated rights.

Reproduction

To reproduce this vulnerability, first install Pearcleaner version 4.4.0 through 4.5.1 and approve the activation of the PearcleanerHelper when prompted. Once the helper is active, any local unprivileged user can connect to the XPC service and use the 'runCommand' method to execute commands as root. This can be done by creating a simple Swift application that establishes a connection to the XPC service and sends commands for execution. After the commands are executed, the output can be captured and displayed, demonstrating the successful execution of commands with root privileges.

Remediation

Users can update to Pearcleaner version 4.5.2, which addresses this vulnerability by implementing proper validation of XPC connections to ensure they come from the legitimate Pearcleaner application.