cbcvebase.
CVE-2015-1130
published 2015-04-10

CVE-2015-1130: The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
9.89%
95.0th percentile
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x< 10.10.310.10.3
appleos_x_yosemite_v10.10.3_and_security_update_2015-004

Detection & IOCsextracted from sources · hover to see the quote

path/System/Library/PrivateFrameworks/Admin.framework/Admin
path/System/Library/PrivateFrameworks/SystemAdministration.framework/SystemAdministration
path/.Trashes
commandgroups | grep -wq admin && echo true
commandclient.authenticateUsingAuthorizationSync_(None)
commandtool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)
  • Monitor for processes loading the private framework SystemAdministration.framework or Admin.framework via dlopen/ctypes from non-system processes, which is the core mechanism of the Rootpipe exploit.
  • Detect invocation of the WriteConfigClient.sharedClient() and authenticateUsingAuthorizationSync_(None) ObjC calls from user-space Python scripts, which is the exploit's authentication bypass mechanism.
  • Alert on files written to /.Trashes with random 8-character alpha names followed by execution, which is the Metasploit module's default staging pattern for both the exploit script and payload.
  • Detect Python scripts executing from /.Trashes or other writable directories that pass two identical file paths as arguments (payload written and then executed as root), matching the exploit's usage pattern.
  • Monitor for files created with SUID bit (mode 04777) by non-root processes, which is the privilege escalation payload delivery mechanism used by the exploit.
  • Detect use of the Authenticator.sharedAuthenticator() and ToolLiaison.sharedToolLiaison() ObjC classes from user-space processes on OS X 10.7–10.8, indicating use of the older API path of the exploit.
  • Flag shell sessions on macOS where 'groups | grep -wq admin' is executed programmatically, as this is used by the Metasploit module to verify admin group membership before launching the exploit.
  • ·The exploit requires the attacking user to already be a member of the admin group; it does not work from a standard (non-admin) user account.
  • ·The patch was not backported to OS X versions prior to 10.10.3; systems running 10.7–10.10.2 remain vulnerable even after applying all available updates for those branches.
  • ·The Metasploit module targets the x86_64 architecture only and uses an osx/x64/shell_reverse_tcp payload by default; detections scoped to other architectures will miss this module.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.