alaneuler batteryKid Missing Authentication Vulnerability in Privilege Helper XPC Service on macOS

A vulnerability exists in alaneuler batteryKid versions through 2.1 on macOS. The issue arises from a root-privileged XPC helper that lacks authentication for critical functions. This helper, registered with NSXPCListener, allows any local user to perform privileged operations on the System Management Controller (SMC) without authorization. Exploitation of this vulnerability can disrupt normal hardware functions, such as battery charging and power adapter connectivity, potentially leading to battery damage and overheating.

Impact

Exploitation allows local users to disable battery charging, disconnect the power adapter virtually, manipulate fan speeds, and cause general denial-of-service on laptops by draining the battery. This exploitation bypasses macOS's security boundaries between user and system-level operations.

Reproduction

The vulnerability can be reproduced by connecting to the Mach service 'me.alaneuler.batteryKid.PrivilegeHelper' using NSXPCConnection from any unprivileged local process. Once connected, the exposed methods can be called to perform unauthorized SMC writes that disrupt normal hardware operations.

Remediation

To address this vulnerability, it is recommended to validate connections using auditToken, restrict exposed methods to a minimal, readonly subset for non-privileged clients, add authentication logic before accepting requests, and use SMJobBless properly to ensure user consent and authorization for elevated operations.