Table of Contents
Introduction
Today we will be analyzing CVE-2023-33298 which is Local Privilege Escalation inside the Perimeter81 macOS application. We will be exploiting XPC service misconfiguration along with the Command Injection vulnerability
to gain root
privileges.
Analysis
Perimeter81 adds an entry to LaunchDaemons, and we can examine the content of the com.perimeter81.osx.HelperTool.plist
located inside /Library/LaunchDaemons/
directory.
We can see that the key for MachServices
is dictionary containing com.perimeter81.osx.HelperTool
. This is the name of mach service which is exposed by the
com.perimeter81.osx.HelperTool binary.
If we now load /Library/PrivilegedHelperTools/com.perimeter81.osx.HelperTool
inside the Hopper and search for xpc_connection_create_mach_service
we can
confirm that the function is called with com.perimeter81.osx.HelperTool
as first argument.
From the image, we can also see that it calls xpc_connection_set_event_handler
with &var_40
. We can read documentation and
conlude that the structure contains isa
pointer (which type of block is this), followed by two ints(flags and reserved) and finally void (*invoke)(void *, ...);
function pointer
which points to the actualy compiled block body.
Inside the disassembly, we can see that *(&var_40 + 0x10) = sub_1002169d7;
points to sub_1002169d7
. Let’s now examine this function.
Inside the else
we can see another call to xpc_connection_set_event_handler
with the block that has invoke
pointer set to sub_100216a98
. Double clicking on this sub shows the following code.