Wulkano Kap TCC Bypass Vulnerability Allowing Code Injection on MacOS

A code injection vulnerability has been identified in Wulkano Kap version 3.6.0 on MacOS. This vulnerability arises from improper control of the Node.js environment, allowing attackers to exploit the 'ELECTRON_RUN_AS_NODE' variable or the '--inspect' option. By doing so, they can bypass the Transparency, Consent, and Control (TCC) mechanism, enabling unauthorized capture of audio or video without user consent.

Impact

Exploitation of this vulnerability allows for arbitrary code execution and evasion of macOS's TCC protections, leading to unauthorized capture of audio or video.

Reproduction

To reproduce this vulnerability, create a screen recording binary using Objective-C that leverages the AVFoundation framework. Compile this code with the appropriate Apple frameworks and save it as a binary file. Then, create a plist file that includes the 'ELECTRON_RUN_AS_NODE' environment variable set to 'true' and the path to the compiled screen recording binary. Load this plist file using launchctl, which will execute the Kap application with the specified arguments, bypassing TCC and allowing the screen recording to be captured without consent.