CVE-2019-5012
An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.
Wacom macOS - Driver 6.3.32-3
https://www.wacom.com/en/support/product-support/drivers
7.8 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-88: Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)
Wacom update helper is a utility installed alongside of the Wacom tablet macOS application. The application is designed to interact with a tablet and allow the user to manage the tablet. A privileged helper tool is installed to update the application. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens locally as root over XPC.
The vulnerability arises in the startProcess functionality of the helper. The relevant code is shown below.
v4 = objc_msgSend(user_dict, "allKeys");
if ( objc_msgSend(v4, "indexOfObject:", CFSTR("BundleID")) != (void *)0x7FFFFFFFFFFFFFFFLL ) [0]
{
bundle_id = objc_msgSend(user_dict, "objectForKey:", CFSTR("BundleID"));
install = +[InstallerControl installer](&OBJC_CLASS___InstallerControl, "installer"); [1]
v7 = objc_msgSend(install, "bundleDictionary");
all = objc_msgSend(v7, "allKeys");
if ( objc_msgSend(all, "indexOfObject:", bundle_id) != (void *)0x7FFFFFFFFFFFFFFFLL ) [2]
{
v10 = objc_msgSend(v7, "objectForKey:", bundle_id);
objc_msgSend(v10, "startWithDict:", user_dict); [3]
To begin, a user dictionary is passed in and the key BundleID is verified to be present, [0]. From there, a stored dictionary is loaded, [1], and it is queried to verify the passed in BundleID is available inside of the system commands, [2]. If this key is found, the provided application is launched, [3]. At first glance, it may be unclear why this is vulnerable. However, upon looking at the available applications to launch, we find some are non-existent while others such as “Android File Transfer” will allow an attacker to write to the root file system. If a file does not exist, an attacker may be able to leverage a separate issue to write into the desired locations and gain arbitrary code execution.
Attached with this report is an XCode project that will launch “Wacom Desktop Center” as root as a demonstration of the issue at hand.
Discovered by Tyler Bohan of Cisco Talos. http://talosintelligence.com/vulnerability-reports/
2019-01-15 - Initial contact
2019-01-17 - Plain text reports issued
2019-03-07 - 3rd follow up
2019-04-01 - Final follow up; Notice of public disclosure date
2019-04-30 - Vendor acknowledged fix in next 6.3.34 driver release notes on 2019-05-15
2019-05-15 - Public Release
Discovered by Tyler Bohan of Cisco Talos.