A significant security flaw, termed Daemon Ex Plist, has been identified in macOS, enabling attackers to escalate their privileges to root access by exploiting misconfigured daemon services. This vulnerability arises from improper handling of service property list (plist) files, particularly when applications are uninstalled but leave behind these files with writable paths accessible to regular users.
Understanding the Vulnerability
In macOS, daemons are background processes that perform various system-level tasks. These daemons are configured using plist files located in the `/Library/LaunchDaemons/` directory. Each plist file specifies the configuration for a daemon, including the path to its executable file.
The Daemon Ex Plist vulnerability occurs when these plist files reference executable paths that are writable by non-privileged users. If an application is uninstalled but its plist file remains, an attacker can create a malicious executable at the specified path. Since the daemon runs with root privileges, the attacker’s code would execute with the same elevated rights, leading to a full system compromise.
Exploitation Process
To exploit this vulnerability, an attacker would follow these steps:
1. Identify Vulnerable Plist Files: Search the `/Library/LaunchDaemons/` directory for plist files that reference executable paths writable by regular users.
2. Create Malicious Executable: Develop a malicious script or binary and place it at the writable path specified in the plist file.
3. Trigger the Daemon: Restart the system or manually start the daemon to execute the malicious code with root privileges.
For example, a vulnerable plist file might contain the following configuration:
“`xml
“`
An attacker can place a malicious script at `/Users/Shared/malicious_script.sh`, which the daemon would execute with root privileges upon activation.
Affected Applications
Several popular applications have been identified as vulnerable to this issue, particularly VPN clients that require system-level access. The following applications are confirmed to be affected:
– Mozilla VPN (v2.28.0)
– Tunnelblick (7.1beta01 build 6220)
– Pritunl (1.3.4220.57)
– Cloudflare Warp
– ExpressVPN
– Amnezia VPN (4.8.6.0)
– Mullvad VPN (2025.7)
– Red Shield VPN (3.5.7)
Beyond VPN applications, other software categories are also susceptible, including:
– OneDrive
– Logitech G Hub
It’s important to note that several other vendors may also be vulnerable to this issue and have not yet released patches.
Mitigation Strategies
To mitigate the risks associated with the Daemon Ex Plist vulnerability, both developers and users should take the following actions:
For Developers:
1. Secure Daemon Executable Paths: Ensure that daemon executables are located in directories that require root privileges for write access, such as `/Library/PrivilegedHelperTools/`. This prevents non-privileged users from placing malicious files in these locations.
2. Proper Uninstallation Procedures: Implement thorough uninstallation routines that remove all associated plist files from `/Library/LaunchDaemons/` to prevent orphaned configurations that could be exploited.
For Users:
1. Audit Existing Plist Files: Regularly inspect the `/Library/LaunchDaemons/` directory for plist files referencing writable paths. This can be done using the following command:
“`bash
ls -l /Library/LaunchDaemons/
“`
Look for plist files with executable paths that are writable by non-privileged users.
2. Remove Unused Plist Files: If you identify plist files associated with uninstalled applications, remove them to eliminate potential exploitation vectors.
3. Keep Software Updated: Ensure that all installed applications are up to date, as developers may release patches addressing this vulnerability.
Conclusion
The Daemon Ex Plist vulnerability underscores the critical importance of secure configuration practices in macOS. By ensuring that daemon services are properly configured and that uninstallation processes are thorough, both developers and users can significantly reduce the risk of privilege escalation attacks. Staying vigilant and proactive in managing system configurations is essential to maintaining a secure computing environment.
