Hello,
I do not understand why you think Avast should be vulnerable to privilege escalation. Maybe you can elaborate a bit more?
In the meantime I will try to describe to you our security measures.
- Our application is placed in /Applications, but it is owned by root:wheel so you have to be administrator/root to copy/remove any files from the application directory. It is signed and notarized.
- Our services/demons do run as root. They are launched by launchd. They open a UNIX socket owned by root so no non-root process can connect to them or control our services.
- There is a single socket opened to everyone. It is a UNIX socket of our gateway process. There are clear settings what commands can be sent to it only by root and what commands can be sent by anybody. The gateway rejects any unauthorized requests.
- UI runs under normal user and when it wants to perform a privileged operation, it has to contact our privileged XPC service. When any connection arrives to this XPC, it first does a self-signature check of the entire bundle inside /Applications including a hardened runtime check. If it passes, it accepts the connection and does the same check for the other side of the connection, making sure that the process connecting is our UI process and is properly signed.
We had a 3rd party penetration testing done by VerSprite and they did not find any attack vector to penetrate our Software. Still if you are aware and can successfully perform an attack that could breach our Software, Avast has a bounty program to reward anyone who helps us find such vulnerabilities. Feel free to apply your findings. It has to be a working set of steps that we can reproduce to verify that the problem exists and you can e.g. use Avast to perform arbitrary commands as root.
I hope this dispels your concerns.
Best regards,
Jakub
