Acustica Audio Aquarius HelperTool XPC Service Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the Aquarius HelperTool version 1.0.003, which is a privileged XPC service on macOS. This vulnerability arises from multiple flaws, including the service's failure to validate the identity of local processes before accepting XPC connections. Additionally, the authorization logic is fundamentally flawed, allowing all authorization checks to pass. The vulnerability can be exploited by local attackers to execute arbitrary commands with root privileges, potentially leading to the creation of persistent backdoors or interactive root shells.

Impact

Exploitation of this vulnerability allows local users to gain root privileges, execute arbitrary commands as the root user, and create persistent backdoors or interactive root shells, all while bypassing macOS's security model.

Reproduction

The vulnerability can be reproduced by creating an XPC connection to the 'com.acustica.HelperTool' service without proper authentication. This can be done using an Objective-C client that sends crafted commands to the service. The commands are executed with root privileges, exploiting the flawed authorization logic and the lack of client validation.

Remediation

To address this vulnerability, it is recommended to implement strong client verification for all XPC connections. This should include validating the client's code signature and using the audit token for identity checks. Additionally, ensure that the hardened runtime is enabled and restrict the use of sensitive entitlements that can weaken binary integrity protections.