Native Instruments Native Access Privileged Helper DYLIB Injection Vulnerability Allowing Local Privilege Escalation

A local privilege escalation vulnerability has been identified in the Native Instruments Native Access application for macOS, specifically in versions up to 3.22.0. The issue arises during the installation of Native Access, which deploys a privileged helper component, 'com.native-instruments.NativeAccess.Helper2'. This helper is intended to perform tasks via XPC communication, such as copying files, removing files, or setting permissions. However, the XPC service's client validation is flawed, allowing a low-privileged user to exploit DYLIB injection. The injected DYLIB can execute commands in the context of the Native Access application, which has a valid code signature. This exploitation enables the deletion of the '/etc/sudoers' file, followed by the copying of a malicious version of the sudoers file back to its original location, thereby escalating privileges.

Impact

Exploitation of this vulnerability allows for local privilege escalation by manipulating the sudoers file, a critical system configuration that controls user permissions.

Reproduction

The vulnerability can be reproduced by first verifying that the Native Access application is installed and that it has the 'com.apple.security.cs.allow-dyld-environment-variables' and 'com.apple.security.cs.disable-library-validation' entitlements. This can be done using the 'codesign' utility. Once confirmed, a malicious DYLIB can be crafted to connect to the privileged helper XPC service and delete the '/etc/sudoers' file. After deleting the sudoers file, the same DYLIB can be used to copy a malicious version of the sudoers file back to '/etc/sudoers'.