Waves Central for macOS Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Waves Central for macOS, affecting versions 13.0.9 prior to 16.5.5. The vulnerability arises from a trusted XPC client component that is signed with hardened runtime entitlements, allowing dynamic library injection. A local attacker can exploit this by setting the DYLD_INSERT_LIBRARIES environment variable to inject a malicious dynamic library into the trusted client process at launch. The injected code executes within the signed process and can interact with the product's privileged helper service to perform privileged operations, leading to arbitrary code execution as root.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with unauthorized users gaining root access on the system.

Reproduction

The vulnerability can be reproduced by injecting a dynamic library into the 'InstlHelperApplication' XPC client using the DYLD_INSERT_LIBRARIES environment variable. Once the library is loaded, the 'executeIrlFileWithPath' function can be called to execute a shell script as root, demonstrating the privilege escalation.

Remediation

Users are advised to update to Waves Central version 16.6.2, which addresses this vulnerability.