Skip to main content

Unauthorized Privileged Hardware Operations Vulnerability in AlDente-Charge-Limiter

Description

The AlDente-Charge-Limiter application is vulnerable to unauthorized privileged hardware operations  due to the insecure implementation of its XPC service. The application registers a Mach service under the name com.davidwernhart.Helper.mach. The associated binary, com.apphousekitchen.aldente-pro.helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as manipulating SMC values, managing power assertions, and reading sensitive system information through SMC values.

The root cause of this vulnerability lies in the shouldAcceptNewConnection method, which unconditionally returns YES (or true), allowing any XPC client to connect to the service without any form of verification. As a result, unauthorized attackers can establish a connection to the Mach service and invoke dangerous methods exposed by the HelperToolProtocol interface.

final class HelperDelegate: NSObject, NSXPCListenerDelegate {
    func listener(_ listener: NSXPCListener, shouldAcceptNewConnection newConnection: NSXPCConnection) -> Bool {
        newConnection.exportedInterface = NSXPCInterface(with: HelperToolProtocol.self)
        newConnection.exportedObject = HelperTool.instance
        newConnection.resume()
        return true
    }
}

 

Within the HelperToolProtocol protocol, some methods are particular dangerous if attackers call them arbitrarily:
- setSMCByte: Direct hardware manipulation allowing potential device damage through fan speed/temperature control manipulation

- createAssertion: Power management exploitation leading to battery drain and resource exhaustion

- readSMCByte/readSMCUInt32: Information disclosure of system settings

- setResetVal: Malicious value injection that could corrupt system restore points; reset: Could trigger hardware malfunction if called after malicious value injection.


@protocol HelperToolProtocol <NSObject>
- (void)getVersionWithReply:(void (^)(NSString * _Nonnull))reply;
- (void)setSMCByteWithKey:(NSString * _Nonnull)key value:(uint8_t)value;
- (void)readSMCByteWithKey:(NSString * _Nonnull)key withReply:(void (^)(char))reply;
- (void)readSMCUInt32WithKey:(NSString * _Nonnull)key reply:(void (^)(uint32_t))reply;
- (void)createAssertionWithName:(NSString * _Nonnull)assertion reply:(void (^)(uint32_t))reply;
- (void)releaseAssertionWithID:(uint32_t)assertionID;
- (void)setResetValueWithKey:(NSString * _Nonnull)key value:(uint8_t)value;
- (void)reset;
@end

 

Impact

 

Reproduction

 

 


Back to top