Mihomo Party Local Privilege Escalation Vulnerability via Unprotected UNIX Socket
Vulnerability
A local privilege escalation vulnerability has been identified in Mihomo Party versions prior to 1.8.1 on macOS. The issue arises in the Socket Handler component, specifically within the 'enableSysProxy' function of 'src/main/sys/sysproxy.ts'. The vulnerability allows the creation of a temporary file with insecure permissions, which can be exploited by local attackers. The root cause is the exposure of a root-owned UNIX socket at '/tmp/mihomo-party-helper.sock', which has world-readable and writable permissions. This socket accepts unauthenticated HTTP requests to modify system-wide proxy settings, enabling attackers to route traffic through an attacker-controlled server, potentially leading to man-in-the-middle attacks and data exfiltration.
Impact
Exploitation of this vulnerability allows local, unprivileged users to change system-wide proxy settings via a privileged helper, without needing root access or user interaction. This can redirect all HTTP, HTTPS, and SOCKS traffic through an attacker-controlled server, intercepting sensitive data such as authentication tokens and credentials, and disrupts network connectivity by pointing to invalid proxies. The impact is persistent and affects all applications and system services, including browsers and CLI tools.
Reproduction
To reproduce this vulnerability, a local user must first enable the privileged user to bypass the TCC prompt. Once this is done, the vulnerable application can be launched, creating the unprotected UNIX socket. The socket can then be accessed by any local user to send proxy configuration requests, routing traffic through an attacker-controlled server.