A critical privilege escalation vulnerability has been discovered that affects macOS devices, particularly machines with GOG Galaxy software installed. His CVE for this vulnerability is assigned as CVE-2023-40713 and has a severity rating of 7.8 (expensive).
GOG Galaxy is software designed to organize games from different platforms into one beautiful library. This vulnerability also pertains to connection validation between the XPC service and GOG Galaxy software.
CVE-2023-40713: Technical analysis
During GOG Galaxy installation, a new file named com.galaxy.ClientService.plist is created in the /Library/LaunchDaemons directory, which creates the Launch Daemon, a background process that runs with elevated privileges.
Additionally, the XPC service was also involved in PLIST files. This XPC service is frequently used on macOS devices to enable helper tools to perform specific tasks in your application.
Most applications use this XPC service to call and perform actions on behalf of the service. These applications also validate client applications and allow only specific applications to call exposed methods.
Reusing PIDs
The vulnerability was based on a race condition in which the exploit sends several messages to the XPC service and executes posix_spawn using a binary that meets security requirements to replace the malicious binary PID.
Additionally, the time between message processing and process validation allows the exploit to replace the exploit PID with the actual application validating the connection.
To exploit this vulnerability, an attacker must follow these steps:
- Connect to XPC through a forked process
- Replace the child process with a legitimate binary.
- Change the permissions of the /etc/pam.d/login file and call the changeFolderPermissionsAtPath method.
- Replace your login file with one that allows authentication without a password.
- Finally, run sudo su to escalate to root.
Security intelligence is complete report Detailed information is provided about this vulnerability, including exploitation instructions, source code, and other information.