CVE-2018-4055

Vulnerability

The vulnerability is located in the install helper tool of Pixar Renderman version 22.2.0 for Mac OS X. This tool is installed and runs as root, continuing to listen after installation. The flaw stems from improper input validation (CWE-19) in the Dispatch function, which does not verify the caller of the function. An XPC message containing a "filepath" string is parsed without sanitization and passed directly to the open system call, enabling any local user to target arbitrary file paths [1].

Exploitation

To exploit this vulnerability, an attacker needs only local access to the machine (no authentication required, no user interaction). The attacker sends a crafted XPC message to the helper service with a case identifier 0x101D2, providing a filepath argument pointing to any root-owned file (e.g., /etc/shadow). The helper tool, running as root, opens the file and returns a file descriptor to the attacker [1].

Impact

A successful exploit allows the attacker to read any file on the file system, including files normally restricted to the root user. This results in a high-impact confidentiality breach, as sensitive system files or user data accessible only by root become readable. The attack does not grant write access or code execution, but the information disclosure can enable further attacks [1].

Mitigation

As of the Talos advisory publication date (2019-03-08), no fix or patched version was available. Users are advised to restrict local access to trusted users only, or to remove the install helper tool if Renderman is no longer needed. The vulnerable version is 22.2.0; later versions may have addressed this issue [1].