iStat Menus < 7.20.5 local privilege escalation

Summary

This blog post covers a boring local privilege escalation bug in iStat Menus due to a misconfigured folder permission. I was honestly surprised this was overlooked, since there were other recently disclosed vulnerabilities, one of which was way more interesting. Read here. TL;dr# Insecure world-writable folder allowing privilege escalation Affected versions < 7.20.5 with Install Helper component No profit (a reboot is required) A CVE has been requested Description# In my day-to-day job I occasionally review software for security issues. I came across an app called iStat Menus by Bjango software. The app is basically like the Apple’s activity monitor but on steriods. It allows users to recieve notifications, monitor network usage, and much more. During the initial install you will be asked to install the Install Helper. This is actually the vulnerable component. You will be asked to provided sudo privileges to continue. If you skip this step you won’t be affected by this bug. Once installed a new privileged service called com.bjango.istatmenus.daemon will be present. The full path of this binrary is: /Library/Application\ Support/iStat\ Menus\ 7/com.bjango.istatmenus.daemon And the parent folder of this service: Highlighted in orange, we can clearly see the permission drwxrwxrwx is set. Other users can read, write, and execute that folder. The com.bjango.istatmenus.daemon is owned by root but the upper directory is misconfigured which may lead to privilege escalation. You could also inspect the com.bjango.istatmenus.installer.log in Console to see where the problem starts. ... 2026-02-16 23:59:51.894 com.bjango.istatmenus.installer[98143:44761071] Starting with bundle - /Applications/iStat Menus.app/Contents/Resources/Components.bundle 2026-02-16 23:59:51.894 com.bjango.istatmenus.installer[98143:44761071] /bin/mkdir /Library/Application\ Support/iStat\ Menus\ 7/ 2026-02-16 23:59:51.914 com.bjango.istatmenus.installer[98143:44761071] /usr/sbin/chown -R root:wheel /Li...