CodexBar Privilege Escalation Vulnerability in CLI Installer Temporary File Handling

A privilege escalation vulnerability has been identified in CodexBar versions prior to 0.32.0. This vulnerability resides in the Command Line Interface (CLI) installer, where local attackers can execute arbitrary commands as root. The issue arises from a race condition in the handling of temporary files. The installer uses 'mktemp' to create a temporary file, into which it writes a privileged shell payload. This payload is then executed with administrator privileges via bash. The vulnerability allows a same-user local process to modify the installer script before the administrator approval is granted, leading to the execution of attacker-controlled commands with root privileges.

Impact

Exploitation of this vulnerability allows local attackers to gain root privileges by manipulating the CLI installer's temporary file handling.

Reproduction

To reproduce this vulnerability, run the CodexBar CLI installer on macOS. The installer will create a temporary file using 'mktemp' and write a privileged shell payload into it. Before the administrator approval prompt is displayed, a same-user local process can intercept and modify the temporary file, replacing the payload with arbitrary commands. Once the prompt is approved, the modified commands are executed as root.

Remediation

Users can update to CodexBar version 0.32.0 or later, where this vulnerability has been addressed.