Full Disclosure mailing list archives
CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7
From: "Mark Wadham" <fd () rkw io>
Date: Mon, 04 Dec 2017 08:22:49 +0000
As well as the other bugs affecting Arq <= 5.9.6 there is also another issue with the suid-root restorer binaries in Arq for Mac. There are three of them and they are used to execute restores of backed up files from the various
cloud providers. After reversing the inter-app protocol I discovered that the path to therestorer binary was specified as part of the data packet sent by the UI. After receiving this, the restorer binaries then set +s and root ownership on this path. This means we can specify an arbitrary path which will receive +s and root
ownership. This issue is fixed in Arq 5.10. https://m4.rkw.io/blog/cve201716895-local-root-privesc-in-arq-backup--597.html Mark _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7 Mark Wadham (Dec 05)