Talos Vulnerability Report

TALOS-2019-0760

Wacom update helper tool startProcess privilege escalation vulnerability

May 16, 2019
CVE Number

CVE-2019-5012

Summary

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Wacom macOS - Driver 6.3.32-3

Product URLs

https://www.wacom.com/en/support/product-support/drivers

CVSSv3 Score

7.8 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

Wacom update helper is a utility installed alongside of the Wacom tablet macOS application. The application is designed to interact with a tablet and allow the user to manage the tablet. A privileged helper tool is installed to update the application. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens locally as root over XPC.

The vulnerability arises in the startProcess functionality of the helper. The relevant code is shown below.

v4 = objc_msgSend(user_dict, "allKeys");
if ( objc_msgSend(v4, "indexOfObject:", CFSTR("BundleID")) != (void *)0x7FFFFFFFFFFFFFFFLL )  [0]
{
  bundle_id = objc_msgSend(user_dict, "objectForKey:", CFSTR("BundleID"));

  install = +[InstallerControl installer](&OBJC_CLASS___InstallerControl, "installer");            [1]
  v7 = objc_msgSend(install, "bundleDictionary");
  all = objc_msgSend(v7, "allKeys");
  if ( objc_msgSend(all, "indexOfObject:", bundle_id) != (void *)0x7FFFFFFFFFFFFFFFLL )           [2]
  {
    v10 = objc_msgSend(v7, "objectForKey:", bundle_id);
    objc_msgSend(v10, "startWithDict:", user_dict);                                             [3]

To begin, a user dictionary is passed in and the key BundleID is verified to be present, [0]. From there, a stored dictionary is loaded, [1], and it is queried to verify the passed in BundleID is available inside of the system commands, [2]. If this key is found, the provided application is launched, [3]. At first glance, it may be unclear why this is vulnerable. However, upon looking at the available applications to launch, we find some are non-existent while others such as "Android File Transfer" will allow an attacker to write to the root file system. If a file does not exist, an attacker may be able to leverage a separate issue to write into the desired locations and gain arbitrary code execution.

Exploit Proof of Concept

Attached with this report is an XCode project that will launch "Wacom Desktop Center" as root as a demonstration of the issue at hand.

Credit

Discovered by Tyler Bohan of Cisco Talos. http://talosintelligence.com/vulnerability-reports/

Timeline

2019-01-15 - Initial contact
2019-01-17 - Plain text reports issued
2019-03-07 - 3rd follow up 2019-04-01 - Final follow up; Notice of public disclosure date
2019-04-30 - Vendor acknowledged fix in next 6.3.34 driver release notes on 2019-05-15
2019-05-15 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.