ASA-2019-00527 – Little Snitch: Privilege escalation vulnerability due to an exposed XPC interface


Allele Security Alert

ASA-2019-00527

Identifier(s)

ASA-2019-00527, CVE-2019-13013, CVE-2019-13014

Title

Privilege escalation vulnerability due to an exposed XPC interface

Vendor(s)

Objective Development Software GmbH

Product(s)

Little Snitch

Affected version(s)

Little Snitch versions 4.3 to 4.3.2

Fixed version(s)

Little Snitch version 4.4

Proof of concept

Unknown

Description

In an internal audit, Objective Development has found a privilege escalation vulnerability in the privileged helper tool of Little Snitch. The privileged helper exposes an XPC interface on a globally available communication endpoint without additional authorization checks on connecting clients. The XPC API is therefore available to any local process and allows listing of directories and copying of files with root privileges.

Technical details

Unknown

Workaround

If an upgrade is not possible for whatever reason, remove the privileged helper by executing the following commands in a Terminal window:

sudo launchctl unload /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist
sudo rm -f /Library/PrivilegedHelperTools/at.obdev.LittleSnitchHelper.LSHelperService
sudo rm -f /Library/LaunchDaemons/at.obdev.LittleSnitchHelper.LSHelperService.plist

When a “Diagnostics Report” is generated via Little Snitch Configuration, the privileged helper is automatically reinstalled. So either avoid generating a Diagnostics Report or remove the privileged helper again immediately after generating the report.

Credits

Objective Development Software GmbH

Reference(s)

CVE-2019-13013
https://obdev.at/cve/2019-13013-OSv2mEFD3z.html

The story behind CVE-2019-13013
https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/

CVE-2019-13013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13013

CVE-2019-13013
https://nvd.nist.gov/vuln/detail/CVE-2019-13013

CVE-2019-13014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13014

CVE-2019-13014
https://nvd.nist.gov/vuln/detail/CVE-2019-13014

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.