MacVim Debugger Attachment and Memory Injection Vulnerability on macOS

A vulnerability in MacVim's configuration on macOS allows local attackers with unprivileged access to attach a debugger, read or modify process memory, and inject code into the application's context. This occurs despite the application being signed with Hardened Runtime, and it bypasses the Transparency, Consent, and Control (TCC) framework. The vulnerability arises from the presence of the 'com.apple.security.get-task-allow' entitlement, which removes a necessary authorization step for debugging applications. Exploitation can be achieved through a malicious application that takes advantage of this entitlement, allowing access to the application's memory and the injection of code.

Impact

The vulnerability allows for unauthorized debugging, memory manipulation, and code injection into MacVim, disrupting the application's normal operation and potentially leading to the execution of malicious code.

Reproduction

The vulnerability can be reproduced by running MacVim on macOS with the 'get-task-allow' entitlement enabled. This can be done by creating a malicious application that requests this entitlement, which allows it to attach a debugger to MacVim. Once attached, the debugger can be used to read or modify MacVim's process memory and inject code into its context.

Remediation

The vulnerability has been fixed in MacVim version r181.2.