VULNERABILITY DETAILS
On macOS, Google Chrome makes use of the deprecated API AuthorizationExecuteWithPrivileges (https://developer.apple.com/reference/security/1540038-authorizationexecutewithprivileg). It is well known that this API is security risk, as once a user has provided authorization credentials, it will execute whatever :(

Apple articulates this well, stating: "This function poses a security concern because it will indiscriminately run any tool or application, severely increasing the security risk. You should avoid the use of this function if possible"

Chrome makes use of this API to perform a variety of privileged actions, such as setting up autoupdate for all users. It does this by executing various scripts such as keystone_promote_preflight.sh. 

The security issue is that these scripts are locally editable, without having to authorize...but then (again, once the user has provided authorization), are executed as root!

I realize that: 
a) this is a local attack
b) the user has to provide authorization before the scripts are executed 

...however, it seems far less than ideal to be using deprecated API, that was deprecated exactly for this reason. 

One attack scenario would be local (non-privileged) malware modifying these script files when Chrome is installed, then waiting. Anytime in the future when the user or an admin preforms any privileged action (such as setting up autoupdate for all users), the malicious commands will be executed as root. I agree this is a limited attack scenario, with various prerequisites, but still IMHO believe it's poses a security risk that should be addressed. 


VERSION
Chrome Version: 57.0.2987.133 stable
Operating System: macOS Sierra 10.12.2

REPRODUCTION CASE
A python script is provided that will modify one of the scripts that is executed as root (keystone_promote_preflight.sh)

a) new VM, download and install Chrome (drag it into /Applications)
b) run python script; chrome.py which will maliciously modify keystone_promote_preflight.sh
c) perform a privileged action via Chrome (for example, About Google Chrome -> Set Up Automatic Updates for All Users)
d) once you have a provided authorization (in the authorization popup), Calculator.app will be running as root

See attached screenshots :) 

Of course you can just modify keystone_promote_preflight.sh manually (without having to be authorized).

Note that once keystone_promote_preflight.sh has run, it sets itself to be owned by root (initially it's just owned by the user).
 

Deleted: Screen Shot 2017-03-31 at 2.04.01 PM.png 163 KB

	Screen Shot 2017-03-31 at 2.04.01 PM.png 163 KB View Download

Deleted: Screen Shot 2017-03-31 at 2.05.11 PM.png 511 KB

	Screen Shot 2017-03-31 at 2.05.11 PM.png 511 KB View Download

Deleted: chrome.py 1.5 KB

chrome.py 1.5 KB View Download