Code Signature validation is racy

[ChiChou]

See Project Zero's previous issue on macOS/iOS:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1223

This project's implementation has exact the same problem.

https://github.com/google/macops-MOLXPCConnection/blob/f59153565ed1/Source/MOLXPCConnection/MOLXPCConnection.m#L155

Code signature validation here is based on incoming pid, which is racy by replacing caller process with valid caller through exec* function.

Should use auditToken instead.

[russellhancox]

I'm still investigating this but right now I'm not sure there's actually a problem, MOLXPCConnection checks the signature in the listener:shouldAcceptNewConnection: method but requires the client to call connectWithReply: from the validation interface before anything else in the exported interface can be called. Due to this requirement exploiting the race would involve actually sending 2 messages before an exec, which I don't believe is possible but I'm not yet certain.

Unfortunately switching to auditToken is not ideal as NSXPCConnection doesn't actually provide access to the audit token and while there are simple methods to get access to it, we generally try to avoid private interfaces wherever possible. If we can establish whether doing so is necessary then this might have to be one of the few exceptions we make.

[russellhancox]

I forgot this was still open - we looked into this for a while and found no way that it could be exploited: you could connect to the 'server' and then exec another process but due to the validation mechanism there's no message you could queue to send before the exec.