CVE-2023-33298 - Perimeter81 Local Privilege Escalation

Exploiting XPC HelperTool to gain LPE



Posted by NSEcho on 2023-06-30 00:38:03

Table of Contents

Introduction

Today we will be analyzing CVE-2023-33298 which is Local Privilege Escalation inside the Perimeter81 macOS application. We will be exploiting XPC service misconfiguration along with the Command Injection vulnerability to gain root privileges.

Analysis

Perimeter81 adds an entry to LaunchDaemons, and we can examine the content of the com.perimeter81.osx.HelperTool.plist located inside /Library/LaunchDaemons/ directory.

LaunchDaemon plist file

We can see that the key for MachServices is dictionary containing com.perimeter81.osx.HelperTool. This is the name of mach service which is exposed by the com.perimeter81.osx.HelperTool binary.

If we now load /Library/PrivilegedHelperTools/com.perimeter81.osx.HelperTool inside the Hopper and search for xpc_connection_create_mach_service we can confirm that the function is called with com.perimeter81.osx.HelperTool as first argument.

Mach Service Creation

From the image, we can also see that it calls xpc_connection_set_event_handler with &var_40. We can read documentation and conlude that the structure contains isa pointer (which type of block is this), followed by two ints(flags and reserved) and finally void (*invoke)(void *, ...); function pointer which points to the actualy compiled block body.

Inside the disassembly, we can see that *(&var_40 + 0x10) = sub_1002169d7; points to sub_1002169d7. Let’s now examine this function.

Main connection handler

Inside the else we can see another call to xpc_connection_set_event_handler with the block that has invoke pointer set to sub_100216a98. Double clicking on this sub shows the following code.