Full Report
The Arc browser had just announced their bug bounty program. As a result, the author decided to search through for some low hanging fruit. Quickly, they found some interesting endpoints: arc://boost/v2/js and arc://boost/v2/css. The functionality is a nice UI for creating boosts - effectively a nice extension with some more special configurations. Looking at the paths, they found the /play endpoint. This was base64 encoded data that was being converted to JSON. This was used for configuring the boosts. The installed boost UI can have custom styling. This means that it's possible to change the contents via CSS to look like one boost but actually be another. Given that this requires a click to install, this trickery can be used to confuse a user to installing it. When the boost is added, the information is added in a folder with several files storing this. In the JSON that was provided, you control the path of various files being stored. Naturally, these were vulnerable to directory traversal attacks on the file write. So, this gave them an arbitrary file write vulnerability. The LaunchAgent plist files that are run whenever a user logs in or the system starts. By adding a file to this location, arbitrary commands will be executed. When the system restarts after the file write, the attacker has arbitrary command execution on the system. After doing this research, they found that the /play endpoint was not mentioned anyway. To the author, this indicated that functionality was never meant for public use. To patch this, the functionality for the legacy boost builder was removed. They got a nice 10K bounty for reporting the vulnerability.
Analysis Summary
# Vulnerability: Path Traversal and Arbitrary File Write in Arc Browser via Legacy Boost Builder
## CVE Details
- **CVE ID:** Not explicitly assigned in the report (Referenced as Arc Bug Bounty Report)
- **CVSS Score:** 9.6 (Estimated - Critical)
- **CWE:** CWE-22 (Path Traversal), CWE-345 (Insufficient Verification of Data Authenticity)
## Affected Systems
- **Products:** Arc Browser (macOS)
- **Versions:** Versions prior to the fix in August/September 2024
- **Configurations:** Systems where the legacy Boost creation tool was active and accessible via the `arc://boost/play/` endpoint.
## Vulnerability Description
The vulnerability stems from a hidden legacy endpoint, `arc://boost/play/[payload]`, used for the "Boost" feature (Arc's version of browser extensions).
1. **UI Spoofing:** The endpoint accepts a Base64-style encoded JSON array that defines the Boost's configuration. An attacker can supply a `manifest.json` with high-privilege permissions (e.g., access to `file://` URIs) while using a different `boost.config.json` to make the UI look like a benign styling extension.
2. **Path Traversal:** Within the JSON payload, the `path` and `name` parameters used for storing the Boost files locally did not undergo proper sanitization.
3. **Arbitrary File Write:** By using `../` sequences in the file paths, an attacker can escape the intended extension directory and write arbitrary files anywhere the user has write permissions on the filesystem.
## Exploitation
- **Status:** PoC available (demonstrated by researcher)
- **Complexity:** Medium (Requires crafting a specific JSON payload and social engineering the user to click "Install")
- **Attack Vector:** Network/Web (Triggered via a malicious link leading to the `arc://` scheme)
## Impact
- **Confidentiality:** High (Full local file read via malicious extension permissions)
- **Integrity:** High (Arbitrary file overwrite/creation, including system configuration files)
- **Availability:** High (Potential to render the OS unbootable by overwriting critical files like `/etc/passwd`)
- **Remote Code Execution (RCE):** By writing a malicious `.plist` file to the `~/Library/LaunchAgents` directory, the attacker can achieve arbitrary command execution upon the next user login or system restart.
## Remediation
### Patches
- The vulnerable `arc://boost/play` functionality/legacy builder was completely removed by the Arc development team.
- Ensure Arc Browser is updated to the latest version.
### Workarounds
- No manual workaround is necessary if the browser is updated, as the endpoint responsible for the exploit has been decommissioned.
## Detection
- **Indicators of compromise:** Presence of unexpected `.plist` files in `~/Library/LaunchAgents` or unusual browser extensions with permissions to "all website data" and "file URLs."
- **Detection methods:** Monitor for any web-based attempts to redirect users to `arc://boost/v2/` or `arc://boost/play/` URLs.
## References
- **Vendor Security Site:** hxxps[://]arc[.]net/security
- **Researcher Write-up:** hxxps[://]medium[.]com/@renwa/arc-browser-uxss-local-file-read-arbitrary-file-creation-and-path-traversal-to-rce-b439f2a299d1