CVE-2025-12792

// CVE-2025-12792 PoC - Canva for Mac TCC权限滥用演示 // 注意：此PoC仅用于安全研究和漏洞理解 // 1. 查找Canva进程 const findCanvaProcess = () => { const { execSync } = require('child_process'); try { const pid = execSync('pgrep -f "Canva"').toString().trim(); console.log('Found Canva process PID:', pid); return pid; } catch (e) { console.log('Canva process not found'); return null; } }; // 2. 检查Hardened Runtime状态 const checkHardenedRuntime = (pid) => { const { execSync } = require('child_process'); try { const result = execSync(`codesign -d -vvv /Applications/Canva.app 2>&1`).toString(); console.log('Code signature info:', result); // 检查是否包含 hardened runtime 标志 return result.includes('adhoc') || !result.includes('runtime'); } catch (e) { console.log('Error checking signature:', e.message); return false; } }; // 3. 验证TCC权限（需要用户授权） const checkTCCPermissions = () => { const { execSync } = require('child_process'); try { // 读取TCC数据库中Canva的权限 const result = execSync('sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT service, client, auth_value FROM access WHERE client LIKE \"%Canva%\""'); console.log('Canva TCC permissions:', result.toString()); return result.toString(); } catch (e) { console.log('Cannot read TCC database (requires admin privileges)'); return null; } }; // 4. 演示利用场景 const demonstrateExploitation = () => { console.log('=== CVE-2025-12792 Exploitation Demo ==='); console.log('Vulnerability: Canva for Mac without Hardened Runtime'); console.log('Impact: TCC permission abuse'); console.log(''); const pid = findCanvaProcess(); if (pid) { const isVulnerable = checkHardenedRuntime(pid); console.log('Is Canva vulnerable?', isVulnerable); if (isVulnerable) { console.log('\n[!] Attack scenario:'); console.log('1. Inject malicious code into Canva process'); console.log('2. Inherit Canva TCC permissions'); console.log('3. Access photos/camera/microphone without user consent'); } } checkTCCPermissions(); }; demonstrateExploitation(); // 修复验证：检查是否已升级 const verifyFix = () => { const { execSync } = require('child_process'); try { const version = execSync('mdls -name kMDItemVersion -r /Applications/Canva.app').toString().trim(); console.log('\nCanva version:', version); console.log('Fixed in version 1.117.1 or later:', parseFloat(version) >= 1.1171); } catch (e) { console.log('Cannot get version info'); } }; verifyFix();

{"cve": {"id": "CVE-2025-12792", "sourceIdentifier": "4ac701fe-44e9-4bcd-9585-dd6449257611", "published": "2025-11-18T01:15:44.287", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva."}], "metrics": {"cvssMetricV31": [{"source": "4ac701fe-44e9-4bcd-9585-dd6449257611", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.2, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "4ac701fe-44e9-4bcd-9585-dd6449257611", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://trust.canva.com/?tcuUid=1e77a34b-f586-450b-b30d-b6e17d15b443", "source": "4ac701fe-44e9-4bcd-9585-dd6449257611"}]}}