Table of Contents
Today we will be analyzing CVE-2023-33298 which is Local Privilege Escalation inside the Perimeter81 macOS application. We will be exploiting XPC service misconfiguration along with the Command Injection vulnerability
Perimeter81 adds an entry to LaunchDaemons, and we can examine the content of the
com.perimeter81.osx.HelperTool.plist located inside
We can see that the key for
MachServices is dictionary containing
com.perimeter81.osx.HelperTool. This is the name of mach service which is exposed by the
If we now load
/Library/PrivilegedHelperTools/com.perimeter81.osx.HelperTool inside the Hopper and search for
xpc_connection_create_mach_service we can
confirm that the function is called with
com.perimeter81.osx.HelperTool as first argument.
From the image, we can also see that it calls
&var_40. We can read documentation and
conlude that the structure contains
isa pointer (which type of block is this), followed by two ints(flags and reserved) and finally
void (*invoke)(void *, ...); function pointer
which points to the actualy compiled block body.
Inside the disassembly, we can see that
*(&var_40 + 0x10) = sub_1002169d7; points to
sub_1002169d7. Let’s now examine this function.
else we can see another call to
xpc_connection_set_event_handler with the block that has
invoke pointer set to
sub_100216a98. Double clicking on this sub shows the following code.