Arq Backup from Haystack Software is a great application for backing up
macs and
windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
vulnerable to a local root privilege escalation exploit.
The updater binary has a "setpermissions" function which sets the suid
bit and
root ownership on itself but it suffers from a race condition that
allows you to
swap the destination for these privileges using a symlink.
We can exploit this to get +s and root ownership on any arbitrary
binary.
Other binaries in the application also suffer from the same issue.
This was fixed in Arq 5.9.7.
https://m4.rkw.io/blog/cve201715357-local-root-privesc-in-arq-backup--596.html
Mark
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/