AutoDesk Meshmixer macOS Installer Local Privilege Escalation

In the installation package for AutoDesk Meshmixer for macOS prior to December 22, 2021, the "postinstall" script included in the installer allows for local privilege escalation to root privileges due to improper permissions on files used throughout the installation process.

During the installation process for Meshmixer, the following postinstall script is run as root: 

#!/bin/sh
set -e
srcPath=/tmp/Autodesk
destPath=~/Documents
if [ ! -e "$srcPath" ]; then
 echo "$srcPath: No such file or directory"
 exit
fi
mkdir -p "$destPath/meshmixer"
cp -R "$srcPath/meshmixer2.3/"* "$destPath/meshmixer"
if [ -e ~/Documents/meshmixer/libraries/default ]; then
 find ~/Documents/meshmixer/libraries/default -type f -name *.prt -maxdepth 1 -exec cp -n {} ~/Documents/meshmixer/libraries/parts/user/My\ Parts/ \;
 find ~/Documents/meshmixer/libraries/default -type f -name *.png -maxdepth 1 -exec cp -n {} ~/Documents/meshmixer/libraries/parts/user/My\ Parts/ \;
 find ~/Documents/meshmixer/libraries/default -type f -name *.obj -maxdepth 1 -exec cp -n {} ~/Documents/meshmixer/libraries/parts/user/My\ Parts/ \;
fi
chmod -R 777 "$destPath/meshmixer"
exit 0

By placing a malicious symlink in "/tmp/Autodesk/meshmixer2.3", an attacker could cause files normal accessible by only the root user to be copied to "~/Documents/meshmixer" and have the permissions changed to "777", which allows the file(s) to be read by anyone.

Further, if a meshmixer install does not exist prior to installation, the user could create their own malicious file and place it in "/tmp/Autodesk/meshmixer2.3" and create a symlink for "~/Documents/meshmixer" that would cause their custom file to be place anywhere on the system (such as /Library/LaunchDaemons, which could spawn an application of their choosing as the root user), which results in privilege escalation to root with the possibility of code execution.