CVE-2020-27192
📋 TL;DR
CVE-2020-27192 is a local privilege escalation vulnerability in BinaryNights ForkLift 3.4 where the application was compiled with library validation disabled, allowing local attackers to inject malicious code. This enables attackers to execute arbitrary code with elevated privileges through ForkLift's helper tool. Only users running ForkLift 3.4 on macOS are affected.
💻 Affected Systems
- BinaryNights ForkLift
📦 What is this software?
Forklift by Binarynights
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Local attacker with user access escalates to root privileges to install malware, steal credentials, or access protected system resources.
If Mitigated
Attack fails due to updated software or proper security controls preventing local code execution.
🎯 Exploit Status
Exploit requires local access to the system and knowledge of code injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ForkLift 3.5.6 and later
Vendor Advisory: https://binarynights.com/
Restart Required: Yes
Instructions:
1. Open ForkLift application. 2. Go to ForkLift menu > Check for Updates. 3. Install available update to version 3.5.6 or later. 4. Restart ForkLift and any related services.
🔧 Temporary Workarounds
Disable ForkLift Helper Tool
allRemove or disable the ForkLift helper tool that runs with elevated privileges
sudo rm /Library/PrivilegedHelperTools/com.binarynights.ForkLiftHelper
sudo launchctl unload /Library/LaunchDaemons/com.binarynights.ForkLiftHelper.plist
Uninstall ForkLift 3.4
allCompletely remove vulnerable version of ForkLift
sudo rm -rf /Applications/ForkLift.app
sudo rm -rf ~/Library/Application\ Support/ForkLift
sudo rm -rf /Library/PrivilegedHelperTools/com.binarynights.ForkLiftHelper
🧯 If You Can't Patch
- Restrict local user access to systems running ForkLift 3.4
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check ForkLift version in application menu (ForkLift > About ForkLift). If version is 3.4, system is vulnerable.Check Version:
defaults read /Applications/ForkLift.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify ForkLift version is 3.5.6 or later in application menu. Check that helper tool is updated.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from ForkLiftHelper
- Suspicious library loading by ForkLift processes
- Privilege escalation attempts in system logs
Network Indicators:
- Unexpected outbound connections from ForkLift processes
SIEM Query:
process_name:"ForkLiftHelper" AND parent_process_name:"ForkLift" AND event_type:"process_start"