X-VPN macOS website versions 77.0–77.5 - Local Privilege Escalation

Description

A vulnerability in the quarantine and restore workflow of the X-VPN macOS website
Versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption.

During quarantine processing, a race condition permits partial influence over file contents that are subsequently used during restoration. By replacing the quarantined file path with a symbolic link before restoration occurs, an attacker can cause the ApiRestoreQuarantinedFiles routine to follow the attacker-controlled symlink. Because the restore operation is performed by the X-VPN_root service with root privileges, the application may write restored data to an arbitrary file referenced by the symlink.

Successful exploitation can result in arbitrary corruption of root-owned files and controlled prefix overwrites of privileged targets. Depending on the targeted file and system configuration, this may affect privileged scripts, scheduled task definitions (such as cron entries), or other security-sensitive files accessible through the same write primitive, potentially leading to further privilege escalation or system compromise.

Privilege Escalation via Sudoers

The attack chain enables overwriting the /etc/sudoers file (or /private/etc/sudoers.d/* drop-in files) with attacker-controlled content. As little as 18 bytes of controlled data is sufficient to inject a new sudoers rule granting passwordless root privileges to the attacker:

user ALL=NOPASSWD:ALL

user ALL=NOPASSWD:ALL

user ALL=NOPASSWD:ALL

user ALL=NOPASSWD:ALL

Where user is the current username. Once this entry is written to the sudoers configuration, the attacker can execute any command as root without authentication:

sudo su -
# Full root shell obtained

sudo su -
# Full root shell obtained

sudo su -
# Full root shell obtained

sudo su -
# Full root shell obtained

Vulnerability

Root cause

The vulnerability stems from two distinct weaknesses in the X-VPN quarantine/restore implementation:

1. Race Condition (CWE-367): During file quarantine processing, there exists a race window where an attacker can replace the file contents before they are encrypted and stored. This allows injection of arbitrary data into the quarantine blob.

2. Symlink Following (CWE-59): The ApiRestoreQuarantinedFiles endpoint, executed by the privileged X-VPN_root daemon running as root, follows symlinks without validation. When restoring a quarantined file, it writes the decrypted contents to the path specified in the quarantine metadata, even if that path has been replaced with a symlink pointing to a privileged file.

Attack chain

The complete exploitation sequence is:

1. Trigger quarantine: Download a file (e.g., EICAR test file) to trigger X-VPN's quarantine workflow

2. Race condition exploitation: During the brief processing window, repeatedly overwrite the downloaded file with the malicious payload

3. Wait for quarantine: Monitor the X-VPN API until the file is quarantined with the injected payload

4. Symlink replacement: Replace the quarantined file with a symlink pointing to /etc/sudoers or /private/etc/sudoers.d/xvpn

5. Trigger restore: Call the restore API endpoint, causing the privileged daemon to write the malicious payload to the sudoers file

6. Privilege escalation: Execute sudo su to gain a root shell without a password

Technical details

• The privileged daemon X-VPN_root runs with UID 0 and processes IPC/HTTP requests from the local user

• Quarantine metadata includes fields like EncryptSize, EncryptKey, PrefixCutData, and SuffixCutData

• The restore operation reconstructs the file using FileAnalysis.decryptAES and writes to the path in FilePath field

• No symlink validation is performed before writing

• No integrity verification (HMAC/signature) of the quarantine blob prevents injection attacks

• The race window is approximately 100-300ms depending on file size and system load

Minimal payload requirements

The attack requires only minimal control over the file prefix. As little as 18 bytes of controlled data is sufficient to exploit this vulnerability. This makes the attack highly practical, as the race condition only needs to inject a small amount of controlled data at the beginning of the file.

With 18 bytes, an attacker can:

• Overwrite sudoers entries: Inject a rule granting passwordless root privileges (user ALL=NOPASSWD:ALL)

• Modify shell scripts: Inject malicious commands at the start of privileged .sh scripts (e.g., /usr/local/bin/backup.sh)

• Corrupt cronjob files: Add malicious cron entries in /etc/crontab or /etc/cron.d/* files that execute as root

Security impact

• Critical: Complete local privilege escalation from unprivileged user to root

• Authentication bypass: Passwordless root access via sudo

• Persistence: Survives system reboot until sudoers is manually corrected

• Stealth: Leaves minimal forensic traces in standard system logs

• Reliability: Race condition success rate >80% in testing environments

• Impact scope: All privileged system operations become available to the attacker

This vulnerability allows a local attacker with no special privileges to:

• Gain complete control over the system

• Install rootkits and backdoors

• Access all user data and credentials

• Bypass security controls (SIP, Gatekeeper, etc.)

• Establish persistent access mechanisms

• Pivot to other systems on the network

PoC

X-VPN: Combined Race Condition + Symlink Vulnerability PoC
===========================================================

COMBINED VULNERABILITY:
1. Race Condition (CWE-367): Allows injecting arbitrary content during quarantine
2. Symlink Follow (CWE-59): Allows redirecting restore to root-owned files

EXPLOIT CHAIN:
1. Trigger a download (EICAR) to start the quarantine flow
2. RACE: Replace the file contents during the processing window
3. Wait for the file to be quarantined with injected content
4. SYMLINK: Replace the quarantined file with a symlink → root target file
5. RESTORE: Privileged daemon overwrites the root file with the injected content

IMPACT:
- Partial overwrite of privileged files with attacker-controlled content
- Potential privilege escalation
- Corruption of critical system files

X-VPN: Combined Race Condition + Symlink Vulnerability PoC
===========================================================

COMBINED VULNERABILITY:
1. Race Condition (CWE-367): Allows injecting arbitrary content during quarantine
2. Symlink Follow (CWE-59): Allows redirecting restore to root-owned files

EXPLOIT CHAIN:
1. Trigger a download (EICAR) to start the quarantine flow
2. RACE: Replace the file contents during the processing window
3. Wait for the file to be quarantined with injected content
4. SYMLINK: Replace the quarantined file with a symlink → root target file
5. RESTORE: Privileged daemon overwrites the root file with the injected content

IMPACT:
- Partial overwrite of privileged files with attacker-controlled content
- Potential privilege escalation
- Corruption of critical system files

X-VPN: Combined Race Condition + Symlink Vulnerability PoC
===========================================================

COMBINED VULNERABILITY:
1. Race Condition (CWE-367): Allows injecting arbitrary content during quarantine
2. Symlink Follow (CWE-59): Allows redirecting restore to root-owned files

EXPLOIT CHAIN:
1. Trigger a download (EICAR) to start the quarantine flow
2. RACE: Replace the file contents during the processing window
3. Wait for the file to be quarantined with injected content
4. SYMLINK: Replace the quarantined file with a symlink → root target file
5. RESTORE: Privileged daemon overwrites the root file with the injected content

IMPACT:
- Partial overwrite of privileged files with attacker-controlled content
- Potential privilege escalation
- Corruption of critical system files

X-VPN: Combined Race Condition + Symlink Vulnerability PoC
===========================================================

COMBINED VULNERABILITY:
1. Race Condition (CWE-367): Allows injecting arbitrary content during quarantine
2. Symlink Follow (CWE-59): Allows redirecting restore to root-owned files

EXPLOIT CHAIN:
1. Trigger a download (EICAR) to start the quarantine flow
2. RACE: Replace the file contents during the processing window
3. Wait for the file to be quarantined with injected content
4. SYMLINK: Replace the quarantined file with a symlink → root target file
5. RESTORE: Privileged daemon overwrites the root file with the injected content

IMPACT:
- Partial overwrite of privileged files with attacker-controlled content
- Potential privilege escalation
- Corruption of critical system files

Evidence of Exploitation

• Video of exploitation:

  

• Static evidence:

  

Our security policy

We have reserved the ID CVE-2026-2638 to refer to this issue from now on.

Disclosure policy

System Information

• X-VPN macOS website version.

• Version: 77.0–77.5.

• Operating System: macOS.

References

• Product: https://xvpn.io/

• Contact: https://xvpn.io/help-center

• Patch: https://xvpn.io/download

• Vendor Advisory: https://xvpn.io/resources/statement-local-privilege-escalation-vulnerability

Mitigation

An updated version of X-VPN is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from Fluid Attacks' Offensive Team.