Summary

The application Archify suffers from a local privilege escalation vulnerability, allowing an attacker to perform multiple operations as the root user.

Details

The Archify application follows the “factored applications” model, meaning its functionality is divided into separate components. In this context, Archify includes a helper tool called com.oct4pie.archifyhelper that delegates specific tasks requiring elevated privileges, such as arbitrary file deletion and changing file permissions. Additionally, this Privileged Helper Tool is contacted via XPC.

It’s crucial for an XPC service to verify the code signature of any process attempting to establish a connection. There are two methods for performing this validation: the public processIdentifier and the private auditToken properties. However, relying on processIdentifier is insecure. Unfortunately, `com.oct4pie.archifyhelper`` is not verifying the code requirement, entitlements, or flags of the client attempting to establish an XPC connection.

Validating client’s authenticity

This method handles incoming XPC client connections. When a new connection is received, it logs the event, configures the exported interface (HelperToolProtocol) and object that the service exposes to the client, resumes the connection, and unconditionally accepts it without performing any client-side validation.

1
2
3
4
5
6
7

    func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool {
        NSLog("New connection accepted.")
        newConnection.exportedInterface = NSXPCInterface(with: HelperToolProtocol.self)
        newConnection.exportedObject = self
        newConnection.resume()
        return true
    }

Remediation

To remediate this vulnerability, the service must rely on code signing validation rather than process identifiers when evaluating incoming connections.

First, ensure you have a valid Apple Developer ID certificate. This certificate can be requested directly from Apple without special approval. Additional details are available in Apple’s official documentation.

Once the Developer ID is in place, leverage the modern XPC APIs that enforce code signing requirements before accepting a connection:

• [NSXPCConnection setCodeSigningRequirement:] (available since macOS 13.0)

• xpc_connection_set_peer_code_signing_requirement (available since macOS 12.0)

These APIs allow the service to verify the client’s code signing identity at connection time, effectively preventing PID reuse-based attacks.