[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6
From: "Mark Wadham" <fd@xxxxxx>
Date: Mon, 04 Dec 2017 08:22:17 +0000

Arq Backup from Haystack Software is a great application for backing upmacs and

windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.

The updater binary has a "setpermissions" function which sets the suidbit androot ownership on itself but it suffers from a race condition thatallows you to

swap the destination for these privileges using a symlink.

We can exploit this to get +s and root ownership on any arbitrarybinary.


Other binaries in the application also suffer from the same issue.

This was fixed in Arq 5.9.7.

https://m4.rkw.io/blog/cve201715357-local-root-privesc-in-arq-backup--596.html

Mark

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] [CFP] BSides San Francisco - April 2018
Next by Date: [FD] CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7
Previous by thread: [FD] [CFP] BSides San Francisco - April 2018
Next by thread: [FD] CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7
Index(es):
- Date
- Thread