Florian Haselsteiner

**Name of the Vulnerable Software and Affected Versions** Vienna Assistant (affected versions not specified) **Description** The Vienna Assistant privileged helper utilizes NSXPC for Inter-Process Communication (IPC). The implementation of the `shouldAcceptNewConnection` function, used by the NSXPC framework to validate client connections to the XPC listener, does not perform any client validation. This allows any process to connect to the service using the configured protocol and call all functions defined in the `HelperToolProtocol`. Specifically, the functions `writeReceiptFile` and `runUninstaller` within the `HelperToolProtocol` lack validation, enabling an attacker to write files to any location with arbitrary data and execute any file with any arguments. The absence of XPC client validation allows any process to invoke these functions, leading to privilege escalation. The vendor was unresponsive and did not provide a patch. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arturia Software Center (MacOS) (affected versions not specified) **Description** The "Privileged Helper" component does not adequately validate client code signatures when a client attempts to connect. This allows an attacker to connect to the helper and execute actions with elevated privileges, potentially leading to local privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Arturia Software Center (affected versions not specified) **Description** The Arturia Software Center on MacOS installs a bash script, `uninstall.sh`, in a root-owned directory with permissions set to 777, making it writable by any user. During plugin uninstallation, the Privileged Helper executes this script. An attacker manipulating this script can lead to privilege escalation. The script is located at a root owned path and is written to disk with file permissions that allow any user to write to it. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Native Instruments Native Access (affected versions not specified) **Description** The Native Access application installs a privileged helper, `com.native-instruments.NativeAccess.Helper2`, used for triggering functions via XPC communication, such as file operations and permission settings. The application is signed with entitlements `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation`, enabling DYLIB injection and potential command execution. A user with low privileges can exploit this DYLIB injection to trigger functions within the privileged helper XPC service, leading to privilege escalation. Specifically, an attacker can delete the `/etc/sudoers` file and replace it with a malicious version, gaining elevated privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Native Access (affected versions not specified) **Description** The XPC service within Native Access’s privileged helper is susceptible to a security issue. The service utilizes the process ID (PID) of connecting clients to validate code signatures, which is an insecure practice. This can be exploited through PID reuse attacks. The connection handler function, specifically ` xpc connection get pid(arg2)`, is used as an argument for the `hasValidSignature` function, but this value is not trustworthy due to the potential for PID reuse. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.