Plugin Alliance InstallationHelper Missing Hardened Runtime/Restrictions Allowing DYLD Library Injection

A local privilege escalation vulnerability exists in the Plugin Alliance InstallationHelper service included with Installation Manager versions through 1.4.0 on macOS. The vulnerability arises because the binary lacks a hardened runtime and a __RESTRICT segment, allowing local users to exploit the DYLD_INSERT_LIBRARIES environment variable to inject dynamic libraries. This injection could lead to code execution with elevated privileges, as the InstallationHelper runs as root.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with injected code executing as the root user, potentially leading to full system compromise.

Reproduction

The vulnerability can be reproduced by creating a malicious dynamic library that includes a constructor function. This library can be injected into the Plugin Alliance InstallationHelper using the DYLD_INSERT_LIBRARIES environment variable. The InjectionHelper can be triggered through an XPC interface, which will cause it to load the injected library. Once the library is loaded, its constructor will execute, demonstrating that arbitrary code has been run with elevated privileges.

Remediation

To address this vulnerability, the Plugin Alliance InstallationHelper should be updated to include a hardened runtime, add a __RESTRICT segment to the Mach-O binary, and sanitize the environment at startup to clear DYLD_INSERT_LIBRARIES and other DYLD-related variables before the helper executes.