Vienna Symphonic Library Vienna Assistant Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the Vienna Assistant software for MacOS, specifically in version 1.2.542. The issue arises from the VSL privileged helper's use of NSXPC for interprocess communication (IPC) without proper validation of client connections. This flaw allows any process to connect to the XPC listener and invoke functions defined in the HelperToolProtocol, including 'writeReceiptFile' and 'runUninstaller', which lack argument validation. Exploiting this vulnerability enables an attacker to write files to arbitrary locations or execute files with any arguments, leading to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the potential to execute commands as the root user.

Reproduction

To reproduce this vulnerability, a process must be created that defines the same Objective-C protocol as the one used by the VSL privileged helper. This process can then establish a connection to the XPC service without any validation. Once connected, the process can invoke any function available in the HelperToolProtocol, including the 'writeReceiptFile' and 'runUninstaller' functions. The 'runUninstaller' function can be specifically used to execute bash commands as root, demonstrating the privilege escalation aspect of the vulnerability.

Remediation

The vendor has not responded to communication attempts, and no patch is currently available. Users are advised to contact the vendor and request a fix.