[GH-ISSUE #364] Helper Tool: Security Vulnerability #360

New issue

Closed

opened 2026-03-03 19:17:48 +03:00 by kerem · 1 comment

kerem commented

2026-03-03 19:17:48 +03:00

Owner

Originally created by @NghiaTranUIT on GitHub (Dec 29, 2019).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/364

Originally assigned to: @NghiaTranUIT on GitHub.

🐶 Brief

There is a report from a dedicated user that Proxyman Helper Tool (PrivilegedHelperTools)could be exploited to change the System Proxy from unsigned apps.

Basically, it's the same issue with Little Snitch CVE-2019-13013 since Proxyman and Little Snitch use a same EvenBetterAuthorizationSample and we don't validate the codesign of incoming NSXPCConnection.

EvenBetterAuthorizationSample does good job to demonstrate how to install/uninstall the Help Tool and provide a mechanism to verify which app is authorized to do it. However, it doesn't validate the authenticity of the connections.

As a result, Any apps could exploited by sending the connection to Helper Tool, which has the same ExportProtocol.

We should fix it

👑 Criteria

Validate the codesign of connections before performing any System Change
Make sure one Helper Tool could verify and accept the Proxyman's Connection.
Use POC sample code to verify that the new Helper Tool will reject the unauthorized connections

Originally created by @NghiaTranUIT on GitHub (Dec 29, 2019). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/364 Originally assigned to: @NghiaTranUIT on GitHub. ## 🐶 Brief There is a report from a dedicated user that Proxyman Helper Tool (PrivilegedHelperTools)could be exploited to change the System Proxy from unsigned apps. Basically, it's the same issue with [Little Snitch CVE-2019-13013](https://blog.obdev.at/what-we-have-learned-from-a-vulnerability/) since Proxyman and Little Snitch use a same [EvenBetterAuthorizationSample](https://developer.apple.com/library/archive/samplecode/EvenBetterAuthorizationSample/Introduction/Intro.html) and we don't validate the codesign of incoming NSXPCConnection. EvenBetterAuthorizationSample does good job to demonstrate how to install/uninstall the Help Tool and provide a mechanism to verify which app is authorized to do it. However, it doesn't validate the authenticity of the connections. As a result, Any apps could exploited by sending the connection to Helper Tool, which has the same ExportProtocol. We should fix it ## 👑 Criteria - [x] Validate the codesign of connections before performing any System Change - [x] Make sure one Helper Tool could verify and accept the Proxyman's Connection. - [x] Use POC sample code to verify that the new Helper Tool will reject the unauthorized connections

kerem

2026-03-03 19:17:48 +03:00

closed this issue
added the
bug
label

kerem commented

2026-03-03 19:17:49 +03:00

Author

Owner

@NghiaTranUIT commented on GitHub (Dec 29, 2019):

All done 🌮
For any one concerns, her is the BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.11.0_Security_Improve_Helper_Tool.dmg

It gonna release in the first week of 2020 👍

Changelogs

Validate the code-sign of connections before performing any System Change
Fix two instance of Helper Tool in app
Close the previous NSXPCConnection before upgrading

@NghiaTranUIT commented on GitHub (Dec 29, 2019): All done 🌮 For any one concerns, her is the BETA build: https://proxyman.s3.us-east-2.amazonaws.com/beta/Proxyman_1.11.0_Security_Improve_Helper_Tool.dmg It gonna release in the first week of 2020 👍 ## Changelogs - [x] Validate the code-sign of connections before performing any System Change - [x] Fix two instance of Helper Tool in app - [x] Close the previous NSXPCConnection before upgrading <img width="1676" alt="Screen Shot 2019-12-29 at 11 42 46" src="https://user-images.githubusercontent.com/5878421/71552646-caa91a00-2a33-11ea-9bb9-bb3ec2f2ca14.png">