CVE-2020-15349 – ForkLift 3.x before version 3.4 has a local pri... (How to Fix)

Q: What is the severity of CVE-2020-15349?

CVE-2020-15349 has a CVSS score of 7.8 (HIGH). ForkLift 3.x before version 3.4 has a local privilege escalation vulnerability where the privileged helper tool's XPC interface allows any process to perform file operations (copy, move, delete) as root and change permissions. This affects macOS users running ForkLift file manager versions 3.0 through 3.3.9.

📋 TL;DR

ForkLift 3.x before version 3.4 has a local privilege escalation vulnerability where the privileged helper tool's XPC interface allows any process to perform file operations (copy, move, delete) as root and change permissions. This affects macOS users running ForkLift file manager versions 3.0 through 3.3.9.

💻 Affected Systems

Products:

BinaryNights ForkLift

Versions: 3.x before 3.4 (specifically 3.0 through 3.3.9)

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS systems where ForkLift is installed. The privileged helper tool is installed by default during ForkLift installation.

📦 What is this software?

Forklift by Binarynights

View all CVEs affecting Forklift →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could gain root privileges, modify system files, install persistent malware, or access sensitive data across the system.

🟠

Likely Case

Malicious local user or malware could escalate privileges to root, allowing unauthorized file modifications, data theft, or persistence mechanisms.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to local users who already have some level of access to the system.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Any local user or malware with user-level access can potentially exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is relatively straightforward once local access is obtained. The XPC interface is improperly secured.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4 and later

Vendor Advisory: https://binarynights.com/blog/posts/forklift-3-4-security-update.html

Restart Required: No

Instructions:

1. Open ForkLift application. 2. Go to ForkLift menu > Check for Updates. 3. Install version 3.4 or later. 4. Alternatively, download directly from binarynights.com.

🔧 Temporary Workarounds

Uninstall ForkLift

macOS

Remove ForkLift completely to eliminate the vulnerability

sudo rm -rf /Applications/ForkLift.app
sudo rm -rf ~/Library/Application\ Support/ForkLift
sudo rm -rf /Library/PrivilegedHelperTools/com.binarynights.ForkLiftHelper

Disable ForkLift Helper Tool

macOS

Remove the privileged helper tool while keeping ForkLift installed

sudo rm -f /Library/PrivilegedHelperTools/com.binarynights.ForkLiftHelper
sudo launchctl unload /Library/LaunchDaemons/com.binarynights.ForkLiftHelper.plist

🧯 If You Can't Patch

Restrict local user access to systems with vulnerable ForkLift versions
Implement strict privilege separation and monitor for suspicious file operations by non-root users

🔍 How to Verify

Check if Vulnerable:

Check ForkLift version in application or run: defaults read /Applications/ForkLift.app/Contents/Info.plist CFBundleShortVersionString

Check Version:

defaults read /Applications/ForkLift.app/Contents/Info.plist CFBundleShortVersionString

Verify Fix Applied:

Verify version is 3.4 or higher and check that helper tool exists: ls -la /Library/PrivilegedHelperTools/com.binarynights.ForkLiftHelper

📡 Detection & Monitoring

Log Indicators:

Unusual file operations by non-root users in system directories
Privilege escalation attempts in system logs
Unexpected processes running as root

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

process where parent_process_name contains 'ForkLift' and effective_user contains 'root'

📊 Metadata

CVE ID: CVE-2020-15349

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: November 17, 2020

Last Updated: November 21, 2024

🔗 References

https://binarynights.com/blog/posts/forklift-3-4-security-update.html Release Notes,Vendor Advisory
https://insinuator.net/2020/11/forklift-lpe/ Exploit,Third Party Advisory
https://binarynights.com/blog/posts/forklift-3-4-security-update.html Release Notes,Vendor Advisory
https://insinuator.net/2020/11/forklift-lpe/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15349, you might also want to check these: