Helper Tool: Security Vulnerability

[NghiaTranUIT]

🐶 Brief

There is a report from a dedicated user that Proxyman Helper Tool (PrivilegedHelperTools)could be exploited to change the System Proxy from unsigned apps.

Basically, it's the same issue with Little Snitch CVE-2019-13013 since Proxyman and Little Snitch use a same EvenBetterAuthorizationSample and we don't validate the codesign of incoming NSXPCConnection.

EvenBetterAuthorizationSample does good job to demonstrate how to install/uninstall the Help Tool and provide a mechanism to verify which app is authorized to do it. However, it doesn't validate the authenticity of the connections.

As a result, Any apps could exploited by sending the connection to Helper Tool, which has the same ExportProtocol.

We should fix it

👑 Criteria

• Validate the codesign of connections before performing any System Change
• Make sure one Helper Tool could verify and accept the Proxyman's Connection.
• Use POC sample code to verify that the new Helper Tool will reject the unauthorized connections

[NghiaTranUIT]

All done 🌮
For any one concerns, her is the BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.11.0_Security_Improve_Helper_Tool.dmg

It gonna release in the first week of 2020 👍

Changelogs

• Validate the code-sign of connections before performing any System Change
• Fix two instance of Helper Tool in app
• Close the previous NSXPCConnection before upgrading