{"vuid":"VU#757109","idnumber":"757109","name":"Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account","keywords":null,"overview":"### Overview\r\nGroupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.\r\n\r\n### Description\r\nEvery five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it's possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.\r\n\r\n### Impact\r\nAn attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem.\r\n\r\n### Acknowledgements\r\nThank you to Dan Revah for reporting this issue.\r\n\r\nThis document was written by Kevin Stephens.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":[],"cveids":["CVE-2023-25394"],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2023-08-28T15:15:33.780073Z","publicdate":"2023-08-28T15:15:33.499649Z","datefirstpublished":"2023-08-28T15:15:33.809507Z","dateupdated":"2023-08-28T15:15:33.499639Z","revision":1,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":88}