Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2017-16895 Local root privesc in Arq Backup <= 5.9.7

From: "Mark Wadham" <fd () rkw io>
Date: Mon, 04 Dec 2017 08:22:49 +0000
As well as the other bugs affecting Arq <= 5.9.6 there is also another issue with the suid-root restorer binaries in Arq for Mac. There are three of them and they are used to execute restores of backed up files from the various 
cloud providers.

After reversing the inter-app protocol I discovered that the path to the
restorer binary was specified as part of the data packet sent by the UI. After receiving this, the restorer binaries then set +s and root ownership on this path. This means we can specify an arbitrary path which will receive +s and root 
ownership.

This issue is fixed in Arq 5.10.

https://m4.rkw.io/blog/cve201716895-local-root-privesc-in-arq-backup--597.html

Mark

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: