CVE-2015-1130
published 2015-04-10CVE-2015-1130: The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
9.89%
95.0th percentile
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.10.3 | 10.10.3 |
| apple | os_x_yosemite_v10.10.3_and_security_update_2015-004 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes loading the private framework SystemAdministration.framework or Admin.framework via dlopen/ctypes from non-system processes, which is the core mechanism of the Rootpipe exploit. ↗
- →Detect invocation of the WriteConfigClient.sharedClient() and authenticateUsingAuthorizationSync_(None) ObjC calls from user-space Python scripts, which is the exploit's authentication bypass mechanism. ↗
- →Alert on files written to /.Trashes with random 8-character alpha names followed by execution, which is the Metasploit module's default staging pattern for both the exploit script and payload. ↗
- →Detect Python scripts executing from /.Trashes or other writable directories that pass two identical file paths as arguments (payload written and then executed as root), matching the exploit's usage pattern. ↗
- →Monitor for files created with SUID bit (mode 04777) by non-root processes, which is the privilege escalation payload delivery mechanism used by the exploit. ↗
- →Detect use of the Authenticator.sharedAuthenticator() and ToolLiaison.sharedToolLiaison() ObjC classes from user-space processes on OS X 10.7–10.8, indicating use of the older API path of the exploit. ↗
- →Flag shell sessions on macOS where 'groups | grep -wq admin' is executed programmatically, as this is used by the Metasploit module to verify admin group membership before launching the exploit. ↗
- ·The exploit requires the attacking user to already be a member of the admin group; it does not work from a standard (non-admin) user account. ↗
- ·The patch was not backported to OS X versions prior to 10.10.3; systems running 10.7–10.10.2 remain vulnerable even after applying all available updates for those branches. ↗
- ·The Metasploit module targets the x86_64 architecture only and uses an osx/x64/shell_reverse_tcp payload by default; detections scoped to other architectures will miss this module. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apple OS X Authentication Bypass Vulnerability
cisa·2022-02-10·CVSS 7.8
CVE-2015-1130 [HIGH] CWE-254 Apple OS X Authentication Bypass Vulnerability
Vulnerability: Apple OS X Authentication Bypass Vulnerability
Affected: Apple OS X
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-1130
Remediation Due Date: 2022-08-10
Apple
CVE-2015-1130: OS X Yosemite v10.10.3 and Security Update 2015-004
vendor_apple·CVSS 7.8
CVE-2015-1130 [HIGH] CVE-2015-1130: OS X Yosemite v10.10.3 and Security Update 2015-004
Apple Security Update: About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004
Product: OS X Yosemite v10.10.3 and Security Update 2015-004
CVE: CVE-2015-1130
Component: CVE-ID
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.10 and 2.2.29, including one that may allow a remote attacker to execute arbitrary code. These issues were addressed by updating Apache to versions 2.4.10 and 2.2.29
GHSA
GHSA-2697-3jf6-rpjg: The XPC implementation in Admin Framework in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2015-1130 [HIGH] CWE-59 GHSA-2697-3jf6-rpjg: The XPC implementation in Admin Framework in Apple OS X before 10
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
VulnCheck
Apple OS X Authentication Bypass Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-1130 [HIGH] CWE-254 Apple OS X Authentication Bypass Vulnerability
Apple OS X Authentication Bypass Vulnerability
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges.
Affected: Apple MacOS X
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/0014762ccc68; https://vulncheck.com/xdb/afd1ccbf6e8d
Remediation Due: 2022-08-10
No detection rules found.
Exploit-DB
Apple Mac OSX - 'Rootpipe' Local Privilege Escalation (Metasploit)
exploitdb·2015-04-13
CVE-2015-1130 Apple Mac OSX - 'Rootpipe' Local Privilege Escalation (Metasploit)
Apple Mac OSX - 'Rootpipe' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Mac OS X "Rootpipe" Privilege Escalation',
'Description' => %q{
This module exploits a hidden backdoor API in Apple's Admin framework on
Mac OS X to escalate privileges to root. Dubbed "Rootpipe."
Tested on Yosemite 10.10.2 and should work on previous versions.
The patch for this issue was not backported to older releases.
Note: you must run this exploit as an admin user to escalate to root.
},
'Author' => [
'Emil Kvarnhammar', # Vulnerability discovery and PoC
'joev', # Copy/paste monkey
'wvu' # Meta copy/paste monkey
],
'References' => [
[
Exploit-DB
Apple Mac OSX < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Local Privilege Escalation
exploitdb·2015-04-09·CVSS 7.8
CVE-2015-1130 [HIGH] Apple Mac OSX < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Local Privilege Escalation
Apple Mac OSX < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Local Privilege Escalation
---
########################################################
#
# PoC exploit code for rootpipe (CVE-2015-1130)
#
# Created by Emil Kvarnhammar, TrueSec
#
# Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
#
########################################################
import os
import sys
import platform
import re
import ctypes
import objc
import sys
from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
from Foundation import NSAutoreleasePool
def load_lib(append_path):
return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);
def use_old_api():
return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])
args = sys.argv
if len(args) != 3:
print "usage: exploit
Metasploit
Apple OS X Rootpipe Privilege Escalation
metasploit
Apple OS X Rootpipe Privilege Escalation
Apple OS X Rootpipe Privilege Escalation
This module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe." This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://www.osvdb.org/120418http://www.securityfocus.com/bid/73982http://www.securitytracker.com/id/1032048https://support.apple.com/HT204659https://www.exploit-db.com/exploits/36692/http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.htmlhttp://www.osvdb.org/120418http://www.securityfocus.com/bid/73982http://www.securitytracker.com/id/1032048https://support.apple.com/HT204659https://www.exploit-db.com/exploits/36692/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1130
2015-04-10
Published
2022-02-10
Added to CISA KEV
Exploited in the wild