Aquarius Desktop Insecure File Handling via Symlink Dereference in Support Archive Generation

A vulnerability exists in Aquarius Desktop version 3.0.069 for macOS, where the application improperly handles files by following symbolic links in its log directory. This flaw occurs during the creation of support data archives, as the application uses a directory iterator that follows symlinks and includes the pointed-to files in the ZIP archive without validation. A local attacker can exploit this by creating symlinks to sensitive files, leading to unauthorized access or modification of those files. Additionally, when combined with a related privilege escalation vulnerability, it could expose files owned by the root user.

Impact

Exploitation of this vulnerability could result in unauthorized disclosure or modification of files, including sensitive system files or root-owned files, when chained with a related privilege escalation vulnerability.

Reproduction

To reproduce this vulnerability, create a symbolic link in the Aquarius log directory that points to a sensitive file, such as '/etc/passwd'. Then, use the 'Create support data file' feature in the application. The support archive will include the contents of the targeted file, demonstrating the insecure handling of symlinks.

Remediation

To address this vulnerability, Aquarius Desktop should disable symlink following in the directory iterator, validate file paths before adding them to the ZIP archive, use 'O_NOFOLLOW' when opening files to prevent symlink dereferencing, limit the contents of the support ZIP to a predefined list of log files, and notify users if the archive contains unexpected files.