CVE-2020-15349

Vulnerability

The privileged helper tool com.binarynights.ForkLiftHelper in BinaryNights ForkLift versions 3.x prior to 3.4 does not perform any authorization checks on incoming XPC connections. This allows any local process to invoke exposed XPC methods, including changePermissions:, changeOwner:, deleteItem:, moveItem:, and others, which execute with root privileges. The helper is installed in /Library/PrivilegedHelperTools/ and listens for XPC messages without verifying the caller's identity or permissions [1].

Exploitation

An attacker with local user access can craft a malicious application or script that connects to the XPC service and calls the exposed methods. No authentication or user interaction is required beyond having a local account. For example, the attacker can call deleteItem: to delete arbitrary files as root, or moveItem: to move files to arbitrary locations, effectively gaining root-level file operations [1].

Impact

Successful exploitation allows an attacker to perform arbitrary file operations (copy, move, delete, change permissions/ownership) as the root user. This can lead to complete compromise of the system, including overwriting system files, installing persistence mechanisms, or exfiltrating sensitive data. The attacker gains root privileges without needing to authenticate as root [1].

Mitigation

The vulnerability is fixed in ForkLift version 3.4, released by the vendor. Users should update to version 3.4 or later. No workaround is available for earlier versions. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1].