[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7
From: "Mark Wadham" <fd@xxxxxx>
Date: Mon, 04 Dec 2017 08:22:49 +0000

As well as the other bugs affecting Arq <= 5.9.6 there is also anotherissuewith the suid-root restorer binaries in Arq for Mac. There are three ofthemand they are used to execute restores of backed up files from thevarious

cloud providers.

After reversing the inter-app protocol I discovered that the path to the

restorer binary was specified as part of the data packet sent by the UI.Afterreceiving this, the restorer binaries then set +s and root ownership onthispath. This means we can specify an arbitrary path which will receive +sand root

ownership.

This issue is fixed in Arq 5.10.

https://m4.rkw.io/blog/cve201716895-local-root-privesc-in-arq-backup--597.html

Mark

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6
Next by Date: [FD] Owning VirtualBox via MITM
Previous by thread: [FD] CVE-2017-15357 Local root privesc in Arq Backup <= 5.9.6
Next by thread: [FD] Owning VirtualBox via MITM
Index(es):
- Date
- Thread