Table of Contents
Introduction
Today we will be analyzing CVE-2023-33298 which is Local Privilege Escalation inside the Perimeter81 macOS application. We will be exploiting XPC service misconfiguration along with the Command Injection vulnerability
to gain root privileges.
Analysis
Perimeter81 adds an entry to LaunchDaemons, and we can examine the content of the com.perimeter81.osx.HelperTool.plist located inside /Library/LaunchDaemons/ directory.
We can see that the key for MachServices is dictionary containing com.perimeter81.osx.HelperTool. This is the name of mach service which is exposed by the
com.perimeter81.osx.HelperTool binary.
If we now load /Library/PrivilegedHelperTools/com.perimeter81.osx.HelperTool inside the Hopper and search for xpc_connection_create_mach_service we can
confirm that the function is called with com.perimeter81.osx.HelperTool as first argument.
From the image, we can also see that it calls xpc_connection_set_event_handler with &var_40. We can read documentation and
conlude that the structure contains isa pointer (which type of block is this), followed by two ints(flags and reserved) and finally void (*invoke)(void *, ...); function pointer
which points to the actualy compiled block body.
Inside the disassembly, we can see that *(&var_40 + 0x10) = sub_1002169d7; points to sub_1002169d7. Let’s now examine this function.
Inside the else we can see another call to xpc_connection_set_event_handler with the block that has invoke pointer set to sub_100216a98. Double clicking on this sub shows the following code.