Shirt Pocket SuperDuper! Privilege Escalation Vulnerability Allowing Arbitrary Script Execution
Vulnerability
A vulnerability in Shirt Pocket's SuperDuper! backup software, specifically in versions through 3.10, allows local attackers to alter the default task template. This modification can be exploited to execute arbitrary preflight scripts with root privileges and Full Disk Access, effectively circumventing macOS privacy protections. The issue arises because user-defined Before/After shell scripts are executed with elevated rights, using SuperDuper's permissions that bypass standard user controls.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of scripts with administrative rights, potentially allowing malicious actions to be performed on the user's system.
Remediation
Users can update to SuperDuper! version 3.11, which addresses this vulnerability by ensuring that Before/After scripts are executed with the user's privileges and must be owned by the root user. For those using versions prior to 3.11, it is recommended to manually review and manage script entries to prevent unauthorized actions.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.