Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
1

CVE-2020-25736

Disclosure Date: July 15, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Privilege Escalation
Techniques
Validation
Validated

Description

Acronis True Image 2019 update 1 through 2021 update 1 on macOS allows local privilege escalation due to an insecure XPC service configuration.

Add Assessment

1
Ratings
Technical Analysis

Acronis TrueImage comes installed with an XPC service by default:

$ ls -al /Library/PrivilegedHelperTools
total 96
drwxr-xr-t   3 root  wheel     96 Nov  9 15:19 .
drwxr-xr-x  66 root  wheel   2112 Nov  9 15:41 ..
-rwxr-xr-x   1 root  wheel  47216 Nov  9 15:19 com.acronis.trueimagehelper

Inside its shouldAcceptNewConnection method, it accepts a connection from the connecting client without any validation:

/* @class HelperTool */
-(char)listener:(void *)arg2 shouldAcceptNewConnection:(void *)arg3 {
    var_30 = [arg3 retain];
    rbx = [[NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)] retain];
    [arg3 setExportedInterface:rbx];
    [rbx release];
    [arg3 setExportedObject:self];
    [arg3 resume];
    [var_30 release];
    return 0x1;
}

The service uses the HelperToolProtocol to set up an interface for the connection. class-dump shows that there are three methods implemented by the HelperToolProtocol, with one being executeProcess:arguments:caller:withReply::

$ ./class-dump /Library/PrivilegedHelperTools/com.acronis.trueimagehelper 
...
@protocol HelperToolProtocol
- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
@end

Executing the executeProcess:arguments:caller:withReply: method allows for executing arbitrary processes via the following block:

int ___56-[HelperTool executeProcess:arguments:caller:withReply:]_block_invoke(int arg0) {
    r14 = [[NSTask launchedTaskWithLaunchPath:*(arg0 + 0x20) arguments:*(arg0 + 0x28)] retain];
    objc_sync_enter([[*(arg0 + 0x30) pids] retain]);
    var_30 = [[*(arg0 + 0x30) pids] retain];
    r12 = [[NSNumber numberWithInt:[r14 processIdentifier]] retain];
    rbx = [[NSNumber numberWithInt:*(int32_t *)(arg0 + 0x40)] retain];
    [var_30 setObject:rbx forKeyedSubscript:r12];
    [rbx release];
    [r12 release];
    [var_30 release];
    [*(arg0 + 0x30) startTimer];
    objc_sync_exit(rax);
    [rax release];
    [r14 waitUntilExit];
    r15 = [r14 terminationReason];
    rbx = *(arg0 + 0x38);
    rax = [r14 terminationStatus];
    if (r15 == 0x2) {
            rax = rax + 0x3e8;
    }
    (*(rbx + 0x10))(rbx, rax);
    rax = [r14 release];
    return rax;
}

Exploiting this vulnerability is fairly trivial and will give an attacker root privileges. Granted, this is now a two year old vulnerability, but it spans a large range of versions and uninstalling the main application will not remove the helper tool. Definitely check /Library/PrivilegedHelperTools if a vulnerable version was installed and was removed without updating.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • acronis

Products

  • true image 2019,
  • true image 2020,
  • true image 2021

Additional Info

Technical Analysis