CVE-2019-5013: TALOS-2019-0761 || Cisco Talos Intelligence Group

Summary

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under root context. A user with local access can use this vulnerability to raise load arbitrary launchD agents. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Wacom macOS - Driver 6.3.32-3

Product URLs

https://www.wacom.com/en/support/product-support/drivers

CVSSv3 Score

7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)

Details

Wacom update helper is a utility installed alongside the Wacom Tablet macOS application. The application is designed to interact with a tablet and allow the to manage the tablet. A privileged helper tool is installed to handle updating the application. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens locally as root over XPC.

The vulnerability arises in the startLaunchDProcess and stopLaunchDProcess function of the helper. The relevant code is shown below.

  v52 = objc_msgSend(agent_arr, "countByEnumeratingWithState:objects:count:", &v31, &v67, 16LL, 0LL);  [0]
  if ( v52 )
  {
    v51 = *(_QWORD *)v32;
    do
    {
      v49 = "stringByAppendingPathComponent:";
      v50 = "stringByAppendingPathExtension:";
        v48 = v6;
        v7 = objc_msgSend(CFSTR("/Library/LaunchAgents"), v49, *(_QWORD *)(*((_QWORD *)&v31 + 1) + 8 * v6));
        v46 = objc_msgSend(v7, v50, CFSTR("plist"));                                         [2]

A user dictionary is passed in and the LaunchAgent key is enumerated into an array, [0]. This input is then added to a complete path to ensure it is pointing inside of the LaunchAgent directory inside of macOS, [2]. This newly created string utilizing user-supplied input is then passed directly into the launchctl command in the root context. A small section from the launchctl man page is shown below.

launchctl allows for detailed examination of launchd endpoints. A domain manages the execution policy for a collection of services.  A service may be thought of as a virtual
 process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause
 the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets.  

This command is able to control all of the root services on the computer. An attacker is able to launch any arbitrary agent on the system they would like or rather stop and delete any agent they desire. This crosses a privilege boundary, as no user should be able to control the LaunchAgents and LaunchDaemons currently installed or running other than the root user. An attacker could turn off agents that prevent attack or perhaps enable older known vulnerable agents that happen to be still installed.

Exploit Proof of Concept

Attached with this report is an XCode project that will launch Wacom Desktop Center as root and delete Wacom DataStoreMgr from the LaunchAgents directory.

Credit

Discovered by Tyler Bohan of Cisco Talos. http://talosintelligence.com/vulnerability-reports/

Timeline

2019-01-15 - Initial contact
2019-01-17 - Plain text reports issued
2019-03-07 - 3rd follow up 2019-04-01 - Final follow up; Notice of public disclosure date
2019-04-30 - Vendor acknowledged fix in next 6.3.34 driver release notes on 2019-05-15
2019-05-16 - Public Release

Discovered by Tyler Bohan of Cisco Talos.