Plugin Alliance Installation Manager Unauthenticated XPC Service Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the InstallationHelper service of Plugin Alliance Installation Manager for macOS, specifically in version 1.4.0. This vulnerability arises because the service accepts unauthenticated XPC connections from any local user and executes the received input using the system() function. As a result, a local user could potentially execute arbitrary commands with root privileges.

Impact

Exploitation of this vulnerability allows local users to gain root access by executing arbitrary commands with elevated privileges.

Reproduction

The vulnerability can be reproduced by establishing an XPC connection to the vulnerable InstallationHelper service. Since the service does not authenticate the client, any local process can connect and invoke privileged methods. Once connected, the 'exchangeAppWithReply:' method can be called with crafted arguments that exploit the lack of input validation, injecting shell commands that are executed as root.

Remediation

To address this vulnerability, it is recommended to implement strong client verification for all XPC connections. This should include validating the client's code signature and using the audit token for identity checks. Additionally, ensure that the hardened runtime is enabled and restrict the use of sensitive entitlements that could weaken binary integrity protections.