CVE-2020-27192

Vulnerability

ForkLift 3.4 was compiled with the com.apple.security.cs.disable-library-validation entitlement enabled, allowing a local attacker to inject arbitrary code into the ForkLift process. The vulnerable helper tool, com.binarynights.ForkLiftHelper, installed in /Library/PrivilegedHelperTools/, lacked authorization checks on XPC connections, exposing functions that could be called without authentication [1]. Versions 3.4 and earlier, including 3.3.9 and below, are affected.

Exploitation

A local attacker can inject code into ForkLift by exploiting the disabled library validation. Once executed within ForkLift's context, the injected code can call exposed XPC functions (e.g., changePermissions, changeOwner, deleteItem) on the unauthed helper tool, which runs with root privileges [1]. The attacker does not need prior authentication for the helper.

Impact

Successful exploitation allows a local attacker to escalate privileges to root, gaining full control over the system. The attacker can modify file permissions, change ownership, delete or create files, and execute arbitrary commands with root privileges [1].

Mitigation

The vendor fixed this issue in a later version; the advisory indicates all vulnerabilities are fixed [1]. Users should update ForkLift to the latest version available from BinaryNights. No workaround is provided; patch installation is recommended.