Intego Personal Backup Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in Intego Personal Backup, a macOS backup utility. This vulnerability arises because backup task definitions are stored in a location writable by non-privileged users, yet they are processed with elevated privileges. By creating a malicious serialized task file, a local attacker can manipulate file writes to sensitive system locations, ultimately escalating privileges to root.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with the attacker gaining root access.

Reproduction

The vulnerability can be reproduced by creating a backup task in Intego Personal Backup. The task definition is saved as a binary .plist file in a directory accessible to non-privileged users. After analyzing the file structure, including security bookmarks, a malicious .plist file can be crafted to overwrite a system file such as /etc/pam.d/su. Once the crafted file is in place, the backup task can be executed, triggering the privilege escalation.