Moderate
CVE-2020-25736
CVE-2020-25736
Description
Acronis True Image 2019 update 1 through 2021 update 1 on macOS allows local privilege escalation due to an insecure XPC service configuration.
Add Assessment
Technical Analysis
Acronis TrueImage comes installed with an XPC service by default:
$ ls -al /Library/PrivilegedHelperTools total 96 drwxr-xr-t 3 root wheel 96 Nov 9 15:19 . drwxr-xr-x 66 root wheel 2112 Nov 9 15:41 .. -rwxr-xr-x 1 root wheel 47216 Nov 9 15:19 com.acronis.trueimagehelper
Inside its shouldAcceptNewConnection method, it accepts a connection from the connecting client without any validation:
/* @class HelperTool */ -(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 { var_30 = [arg3 retain]; rbx = [[NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)] retain]; [arg3 setExportedInterface:rbx]; [rbx release]; [arg3 setExportedObject:self]; [arg3 resume]; [var_30 release]; return 0x1; }
The service uses the HelperToolProtocol to set up an interface for the connection. class-dump shows that there are three methods implemented by the HelperToolProtocol, with one being executeProcess:arguments:caller:withReply::
$ ./class-dump /Library/PrivilegedHelperTools/com.acronis.trueimagehelper ... @protocol HelperToolProtocol - (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1; - (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4; - (void)getProcessIdentifierWithReply:(void (^)(int))arg1; @end
Executing the executeProcess:arguments:caller:withReply: method allows for executing arbitrary processes via the following block:
int ___56-[HelperTool executeProcess:arguments:caller:withReply:]_block_invoke(int arg0) { r14 = [[NSTask launchedTaskWithLaunchPath:*(arg0 + 0x20) arguments:*(arg0 + 0x28)] retain]; objc_sync_enter([[*(arg0 + 0x30) pids] retain]); var_30 = [[*(arg0 + 0x30) pids] retain]; r12 = [[NSNumber numberWithInt:[r14 processIdentifier]] retain]; rbx = [[NSNumber numberWithInt:*(int32_t *)(arg0 + 0x40)] retain]; [var_30 setObject:rbx forKeyedSubscript:r12]; [rbx release]; [r12 release]; [var_30 release]; [*(arg0 + 0x30) startTimer]; objc_sync_exit(rax); [rax release]; [r14 waitUntilExit]; r15 = [r14 terminationReason]; rbx = *(arg0 + 0x38); rax = [r14 terminationStatus]; if (r15 == 0x2) { rax = rax + 0x3e8; } (*(rbx + 0x10))(rbx, rax); rax = [r14 release]; return rax; }
Exploiting this vulnerability is fairly trivial and will give an attacker root privileges. Granted, this is now a two year old vulnerability, but it spans a large range of versions and uninstalling the main application will not remove the helper tool. Definitely check /Library/PrivilegedHelperTools if a vulnerable version was installed and was removed without updating.
CVSS V3 Severity and Metrics
General Information
Vendors
- acronis
Products
- true image 2019,
- true image 2020,
- true image 2021
Metasploit Modules
