Allele Security Alert
Excessive permissions for application configuration allow privilege escalation
SwitchVPN for macOS
Proof of concept
After installation or an update, the script “fix_permissions.sh” is run by the application. This script changes the owner of the main application binaries to root and sets them to world-writable. Additionally, the SUID bit is set for another sensitive binary in the application folder. This configuration makes it very easy to escalate privileges to root.
The script /Applications/SwitchVPN/SwitchVPN.app/Contents/MacOS/SwitchVPN_GUI is world-writeable after installation or an update and is later executed by a privilege process. Overwriting its content, because it is world-writeable, allows an attacker to perform escalation of privileges.
SwitchVPN MacOS Privilege Escalation Vulnerability
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019