Talos Vulnerability Report

TALOS-2024-2060

Veertu Anka Build node agent update privilege escalation vulnerability

October 3, 2024
CVE Number

CVE-2024-39755

SUMMARY

A privilege escalation vulnerability exists in the Veertu Anka Build 1.42.0. The vulnerability occurs during Anka node agent update. A low privilege user can trigger the update action which can result in unexpected elevation of privilege.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Veertu Anka Build 1.42.0

PRODUCT URLS

Anka Build - https://veertu.com/anka-build/

CVSSv3 SCORE

7.8 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-282 - Improper Ownership Management

DETAILS

Anka Build is a suite of software tools designed for macOS virtualization, specifically for testing macOS or iOS applications in CI/CD environments. The suite comprises three main components: Controller, Registry, and Nodes. Anka Build Controller is centralized dashboard for managing nodes, VM instances, templates, tags, and logs. Anka Build Registry serves as the central repository for macOS VM templates and tags, facilitating easy access and version control. Anka Build Nodes are macOS hosts that run on-demand VM instances.

A privilege escalation vulnerability exists in Anka Build when a Node joins the Controller or an already joined Node is updated. When a Node is added to the Controller, an Agent package is installed on the Node. A Node can join the Controller by executing the following ankacluster command on the Node system:

ankacluster join <http://controller-address>

When the above command is executed, an ankaAgent.pkg file is downloaded to the /tmp directory, and subsequently, the PKG file is installed.

Once a Node joins the Controller, the agent on the Node can be updated by sending a PUT request to the controller URI /api/v1/node/update. This also triggers the download of ankaAgent.pkg to the /tmp directory, followed by the installation of the PKG file.

A low-privilege user has the default write permissions to the /tmp directory. To exploit this vulnerability, a low-privilege user can create a file named ankaAgent.pkg in the /tmp directory. When a Node join or Node update action is triggered, the file ankaAgent.pkg will be overwritten with the actual Anka agent PKG file. There is a window of opportunity between the file being downloaded and the file being run for installation. During this window, the low-privilege user can replace the ankaAgent.pkg file with a malicious PKG file. When the installation process runs, it will install the malicious PKG on the system.

When an update node request is sent to the controller, the controller creates a PKG install task, invoking the veertu.com/veertu/ankaCloud/agent/listener.(*AgentListener).DownloadAndInstallPKG method of the anka_agent LaunchDaemon to update the Anka agent. The decompiled code of veertu.com/veertu/ankaCloud/agent/listener.(*AgentListener).DownloadAndInstallPKG is as follows:

   pkg_path.ptr = (char *)&tmp_anka_agent_pkg_path;  //  <------- (1)
    pkg_path.len = 18LL;
    v26 = veertu_com_veertu_ankaCloud_agent_listener__ptr_AgentListener_downloadFile(
            v47,
            v50,
            pkg_path,
            ControllerClient);  //  <------- (2)
    data = v26.data;
    tab = v26.tab;

    [...]
       v28 = veertu_com_veertu_ankaCloud_agent_listener__ptr_AgentListener_installPKG(v47, v51); //  <------- (3)
      if ( v28.tab )

At (1) the path /tmp/AnkaAgent.pkg is assigned to the variable pkg_path. At (2), veertu.com/veertu/ankaCloud/agent/listener.(*AgentListener).downloadFile is called to download the PKG file to /tmp/AnkaAgent.pkg. The veertu.com/veertu/ankaCloud/agent/listener.(*AgentListener).installPKG is invoked at (3). The decompiled code of veertu.com/veertu/ankaCloud/agent/listener.(*AgentListener).installPKG is as follows:

   v41 = &unk_1006B0EAB;
v42[0] = 4LL;
v42[1] = (__int64)v44;
v42[2] = v46;
v42[3] = (__int64)&unk_1006B3781;
v42[4] = 7LL;
v42[5] = (__int64)&syscall__stmp_42;
v42[6] = 1LL;
v38 = (_ptr_exec_Cmd)os_exec_Command(&unk_1006B6153, 9LL, &v41, 4LL);// <------------------- (4)
v15 = (syscall_SysProcAttr *)runtime_newobject(&type_cLmOVQFt);
v15->Setpgid = 1;

The installPKG method executes the installer command at (4), which installs the PKG file.

By exploiting this vulnerability, a low-privilege user can potentially escalate their privileges to that of a root user.

VENDOR RESPONSE

Fixed in 1.43.0 of the Anka Build Cloud.

TIMELINE

2024-08-12 - Vendor Disclosure
2024-08-12 - Initial Vendor Contact
2024-09-30 - Vendor Patch Release
2024-10-03 - Public Release

Credit

Discovered by KPC of Cisco Talos.