Waves Central for macOS Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Waves Central for macOS, affecting versions 13.0.9 prior to 16.5.5. The issue resides in the privileged helper service, which improperly validates connecting XPC clients by using the client process identifier (PID) for code-signing verification. This flaw creates a race condition that can be exploited by a local attacker, allowing them to manipulate the validation process and gain unauthorized access to privileged operations. As a result, the attacker could execute arbitrary code with root privileges.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with unauthorized users gaining root access by exploiting the flawed XPC client validation in the privileged helper service.

Reproduction

The vulnerability can be reproduced by injecting a malicious dynamic library into a legitimate process that is allowed to connect to the Waves Central privileged helper via XPC. The injected library can then use the 'executeIrlFileWithPath' function of the helper to execute a payload as root. This exploitation takes advantage of the race condition created by PID reuse, tricking the helper into trusting an attacker-controlled process.

Remediation

Users are advised to update to Waves Central version 16.6.2, which addresses this vulnerability. The updated version can be downloaded from the Waves Central download page.