{"id": "TALOSBLOG:3678528017BABE2C68EC2B24A2B98A66", "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: Multiple vulnerabilities in Wacom Update Helper", "description": "[](<http://3.bp.blogspot.com/-T2SNgGXjQz0/XNrmz27H70I/AAAAAAAAGYg/JQA94OGXgagUNlj9nFBRzH8chf03QEuHwCK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_vuln%2Bspotlight.jpg>)_ \n_ \n_Tyler Bohan of Cisco Talos discovered these vulnerabilities._ \n\n\n### Executive summary\n\nThere are two privilege escalation vulnerabilities in the Wacom update helper. The update helper is a utility installed alongside the macOS application for [Wacom tablets](<https://www.wacom.com/en-us/products/pen-tablets>). The application interacts with the tablet and allows the user to manage it. These vulnerabilities could allow an attacker with local access to raise their privileges to root. \n \nIn accordance with our coordinated disclosure policy, Cisco Talos worked with Wacom to ensure that these issues are resolved and that [an update](<https://cdn.wacom.com/u/productsupport/drivers/mac/professional/releasenotes/Mac_6.3.34.html>) is available for affected customers. \n \n\n\n### Vulnerability details\n\n**Wacom update helper tool startProcess privilege escalation vulnerability (TALOS-2018-0760/CVE-2019-5012)** \n \nAn exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0760>) for additional information. \n \n**Wacom update helper tool start/stopLaunchDProcess privilege escalation vulnerability (TALOS-2018-0761/CVE-2019-5013)** \n \nAn exploitable privilege escalation vulnerability exists in the Wacom update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under root context. A user with local access can use this vulnerability to raise load arbitrary launchD agents. An attacker would need local access to the machine for a successful exploit. \n \nRead the complete vulnerability advisory [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0761>) for additional information. \n\n\n### Versions tested\n\nTalos tested and confirmed that the Wacom driver on macOS, versions 6.3.32.2 and 6.3.32.3 are affected by these vulnerabilities. \n[](<https://cdn.wacom.com/u/productsupport/drivers/mac/professional/releasenotes/Mac_6.3.34.html>) \n\n\n### \n\n\n### Coverage\n\nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: 48850, 48851 \n\n\n \n\n\n", "published": "2019-05-16T11:16:14", "modified": "2019-05-16T11:16:14", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/NKBlme8B928/wacom-update-helper-vuln-spotlight-may-2019.html", "reporter": "noreply@blogger.com (Jonathan Munshaw)", "references": [], "cvelist": ["CVE-2019-5012", "CVE-2019-5013"], "lastseen": "2019-05-16T18:20:08", "viewCount": 48, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-05-16T18:20:08", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5013", "CVE-2019-5012"]}, {"type": "talos", "idList": ["TALOS-2019-0761", "TALOS-2019-0760"]}], "modified": "2019-05-16T18:20:08", "rev": 2}, "vulnersScore": 6.3}}

{"cve": [{"lastseen": "2020-10-03T13:38:54", "description": "An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under root context. A user with local access can use this vulnerability to raise load arbitrary launchD agents. An attacker would need local access to the machine for a successful exploit.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-24T16:15:00", "title": "CVE-2019-5013", "type": "cve", "cwe": ["CWE-88"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5013"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:wacom:driver:6.3.32-3"], "id": "CVE-2019-5013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5013", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:wacom:driver:6.3.32-3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:54", "description": "An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-10-24T16:15:00", "title": "CVE-2019-5012", "type": "cve", "cwe": ["CWE-88"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5012"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:wacom:driver:6.3.32-3"], "id": "CVE-2019-5012", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5012", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:wacom:driver:6.3.32-3:*:*:*:*:*:*:*"]}], "talos": [{"lastseen": "2020-07-01T21:25:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-5013"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0761\n\n## Wacom update helper tool start/stopLaunchDProcess privilege escalation vulnerability\n\n##### May 16, 2019\n\n##### CVE Number\n\nCVE-2019-5013\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under root context. A user with local access can use this vulnerability to raise load arbitrary launchD agents. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nWacom macOS - Driver 6.3.32-3\n\n### Product URLs\n\n<https://www.wacom.com/en/support/product-support/drivers>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nWacom update helper is a utility installed alongside the Wacom Tablet macOS application. The application is designed to interact with a tablet and allow the to manage the tablet. A privileged helper tool is installed to handle updating the application. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens locally as root over XPC.\n\nThe vulnerability arises in the `startLaunchDProcess` and `stopLaunchDProcess` function of the helper. The relevant code is shown below.\n \n \n v52 = objc_msgSend(agent_arr, \"countByEnumeratingWithState:objects:count:\", &v31, &v67, 16LL, 0LL); [0]\n if ( v52 )\n {\n v51 = *(_QWORD *)v32;\n do\n {\n v49 = \"stringByAppendingPathComponent:\";\n v50 = \"stringByAppendingPathExtension:\";\n v48 = v6;\n v7 = objc_msgSend(CFSTR(\"/Library/LaunchAgents\"), v49, *(_QWORD *)(*((_QWORD *)&v31 + 1) + 8 * v6));\n v46 = objc_msgSend(v7, v50, CFSTR(\"plist\")); [2]\n \n\nA user dictionary is passed in and the `LaunchAgent` key is enumerated into an array, [0]. This input is then added to a complete path to ensure it is pointing inside of the `LaunchAgent` directory inside of macOS, [2]. This newly created string utilizing user-supplied input is then passed directly into the `launchctl` command in the root context. A small section from the `launchctl` man page is shown below.\n \n \n launchctl allows for detailed examination of launchd endpoints. A domain manages the execution policy for a collection of services. A service may be thought of as a virtual\n process that is always available to be spawned in response to demand. Each service has a collection of endpoints, and sending a message to one of those endpoints will cause\n the service to launch on demand. Domains advertise these endpoints in a shared namespace and may be thought of as synonymous with Mach bootstrap subsets. \n \n\nThis command is able to control all of the root services on the computer. An attacker is able to launch any arbitrary agent on the system they would like or rather stop and delete any agent they desire. This crosses a privilege boundary, as no user should be able to control the `LaunchAgents` and `LaunchDaemons` currently installed or running other than the root user. An attacker could turn off agents that prevent attack or perhaps enable older known vulnerable agents that happen to be still installed.\n\n### Exploit Proof of Concept\n\nAttached with this report is an XCode project that will launch `Wacom Desktop Center` as root and delete `Wacom DataStoreMgr` from the LaunchAgents directory.\n\n### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos. http://talosintelligence.com/vulnerability-reports/\n\n### Timeline\n\n2019-01-15 - Initial contact \n2019-01-17 - Plain text reports issued \n2019-03-07 - 3rd follow up 2019-04-01 - Final follow up; Notice of public disclosure date \n2019-04-30 - Vendor acknowledged fix in next 6.3.34 driver release notes on 2019-05-15 \n2019-05-16 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0784\n\nPrevious Report\n\nTALOS-2019-0760\n", "edition": 4, "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "TALOS-2019-0761", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0761", "title": "Wacom update helper tool start/stopLaunchDProcess privilege escalation vulnerability", "type": "talos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T21:24:53", "bulletinFamily": "info", "cvelist": ["CVE-2019-5012"], "description": "# Talos Vulnerability Report\n\n### TALOS-2019-0760\n\n## Wacom update helper tool startProcess privilege escalation vulnerability\n\n##### May 16, 2019\n\n##### CVE Number\n\nCVE-2019-5012\n\n### Summary\n\nAn exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user with local access can use this vulnerability to raise their privileges to root. An attacker would need local access to the machine for a successful exploit.\n\n### Tested Versions\n\nWacom macOS - Driver 6.3.32-3\n\n### Product URLs\n\n<https://www.wacom.com/en/support/product-support/drivers>\n\n### CVSSv3 Score\n\n7.8 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\n\n### CWE\n\nCWE-19: Improper Input Validation\n\n### Details\n\nWacom update helper is a utility installed alongside of the Wacom tablet macOS application. The application is designed to interact with a tablet and allow the user to manage the tablet. A privileged helper tool is installed to update the application. The helper tool is installed as root when the application is first installed and is a LaunchD daemon, meaning it will be restarted if it is killed. The service listens locally as root over XPC.\n\nThe vulnerability arises in the `startProcess` functionality of the helper. The relevant code is shown below.\n \n \n v4 = objc_msgSend(user_dict, \"allKeys\");\n if ( objc_msgSend(v4, \"indexOfObject:\", CFSTR(\"BundleID\")) != (void *)0x7FFFFFFFFFFFFFFFLL ) [0]\n {\n bundle_id = objc_msgSend(user_dict, \"objectForKey:\", CFSTR(\"BundleID\"));\n \n install = +[InstallerControl installer](&OBJC_CLASS___InstallerControl, \"installer\"); [1]\n v7 = objc_msgSend(install, \"bundleDictionary\");\n all = objc_msgSend(v7, \"allKeys\");\n if ( objc_msgSend(all, \"indexOfObject:\", bundle_id) != (void *)0x7FFFFFFFFFFFFFFFLL ) [2]\n {\n v10 = objc_msgSend(v7, \"objectForKey:\", bundle_id);\n objc_msgSend(v10, \"startWithDict:\", user_dict); [3]\n \n\nTo begin, a user dictionary is passed in and the key `BundleID` is verified to be present, [0]. From there, a stored dictionary is loaded, [1], and it is queried to verify the passed in `BundleID` is available inside of the system commands, [2]. If this key is found, the provided application is launched, [3]. At first glance, it may be unclear why this is vulnerable. However, upon looking at the available applications to launch, we find some are non-existent while others such as \u201cAndroid File Transfer\u201d will allow an attacker to write to the root file system. If a file does not exist, an attacker may be able to leverage a separate issue to write into the desired locations and gain arbitrary code execution.\n\n### Exploit Proof of Concept\n\nAttached with this report is an XCode project that will launch \u201cWacom Desktop Center\u201d as root as a demonstration of the issue at hand.\n\n### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos. http://talosintelligence.com/vulnerability-reports/\n\n### Timeline\n\n2019-01-15 - Initial contact \n2019-01-17 - Plain text reports issued \n2019-03-07 - 3rd follow up 2019-04-01 - Final follow up; Notice of public disclosure date \n2019-04-30 - Vendor acknowledged fix in next 6.3.34 driver release notes on 2019-05-15 \n2019-05-15 - Public Release\n\n##### Credit\n\nDiscovered by Tyler Bohan of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2019-0761\n\nPrevious Report\n\nTALOS-2019-0792\n", "edition": 3, "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "TALOS-2019-0760", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0760", "title": "Wacom update helper tool startProcess privilege escalation vulnerability", "type": "talos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}