Key Information Summary Vulnerability Description: An XPC helper application running with root privileges registers a public Mach service ( ) and accepts all incoming connections without validating the caller (no audit token, code signing TeamID, or privilege checks). Impact: Any local, non-privileged process can invoke methods exposed via BatteryXPCProtocol (e.g., , , ) and perform privileged power/SMC operations. Technical Details Location: In . Implementation Issue: The helper runs as root and registers a Mach service using NSXPCListener. It unconditionally accepts all incoming connections without any validation (e.g., audit token or code signing). Exposed Functionality: The helper exposes functions such as and . Proof of Concept Client Application: A client application ( ) is created to connect to the privileged helper and invoke via XPC. Impact Power Management Control: Any local, non-privileged process can control system-level power management functions typically restricted to root. Attack Scenarios: - Force battery mode, prevent sleep, drain battery until recharging, rendering the laptop unusable. - Change power policies (e.g., sleep/adapter/charging state) affecting all users, potentially persisting until manually reverted. - Repeated forced discharge/charge cycles and disabling charging accelerate battery wear; abrupt power state changes may cause thermal throttling and performance degradation. Complexity: No user interaction required; no privileges needed; low complexity. Security Boundary Breach: Violates macOS’s security boundary between user-level and system-level operations.