Intego Log Reporter Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Intego Log Reporter, a macOS utility that collects system and application logs for support analysis. This vulnerability arises from a root-executed diagnostic script that creates and writes files in the /tmp directory without proper secure directory handling, leading to a time-of-check to time-of-use (TOCTOU) race condition. A local unprivileged user can exploit this symlink-based race condition to write arbitrary files to privileged system locations, escalating privileges to root.

Impact

Exploitation of this vulnerability allows a local unprivileged user to gain root privileges on the system.

Reproduction

The vulnerability can be reproduced by creating a fake Firefox profile with a notificationstore.json file, which is then used to exploit the TOCTOU race condition while the Intego Log Reporter script is executed as root. This can be done by timing the creation of symbolic links and directories in the /tmp directory to coincide with the script's execution, causing files to be copied into sensitive locations such as /etc/sudoers.d/.