CVE-2015-3704
published 2015-07-03CVE-2015-3704: runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.30%
94.7th percentile
runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.10.3 | — |
| apple | os_x_yosemite_v10.10.4_and_security_update_2015-005 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for the suid-root binary 'runner' being executed by non-root/non-system processes, especially when spawning child processes with euid 0. ↗
- →Detect calls to the 'setExternalAuthorizationRef' method on IFInstallRunner Distributed Object with a malformed/short auth_ref (e.g., all-'A' byte sequences) that cause AuthorizationCreateFromExternalForm to fail, leaving euid=0 without a valid auth reference. ↗
- →Alert on 'runner' process spawning network-listening shells (e.g., bind shells via NSTask/runTaskSecurely) with euid 0, particularly on localhost ports. ↗
- →Look for the syslog message 'Fatal error: unable to internalize authorization reference.' as an indicator that the error path in setExternalAuthorizationRef was triggered — this is the exact condition that leaves the privilege state machine out-of-sync. ↗
- →Monitor Distributed Objects (DO) namespace registrations by processes spawned from /System/Library/PrivateFrameworks/Install.framework/Resources/runner, particularly names composed of pid + time() + random(). ↗
- ·The privilege escalation only works if the attacker can interact with the runner binary's Distributed Object interface; the initial euid drop (seteuid(getuid())) is correctly performed, but the error path in setExternalAuthorizationRef fails to re-drop privileges, making the bug exploitable only after that specific error condition is triggered. ↗
- ·The exploit requires the attacker to first provide a name via stdin to NSConnection rootProxyForConnectionWithRegisteredName before the IFInstallRunner DO is set up; local access to the machine is a prerequisite. ↗
- ·The fix is present in OS X Yosemite v10.10.4 and Security Update 2015-005; systems running earlier versions remain vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jjfm-cmgw-492m: runner in Install
ghsa_unreviewed·2022-05-17
CVE-2015-3704 [HIGH] GHSA-jjfm-cmgw-492m: runner in Install
runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Apple
CVE-2015-3704: OS X Yosemite v10.10.4 and Security Update 2015-005
vendor_apple·CVSS 9.3
CVE-2015-3704 [CRITICAL] CVE-2015-3704: OS X Yosemite v10.10.4 and Security Update 2015-005
Apple Security Update: About the security content of OS X Yosemite v10.10.4 and Security Update 2015-005
Product: OS X Yosemite v10.10.4 and Security Update 2015-005
CVE: CVE-2015-3704
Component: CVE-ID
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://packetstormsecurity.com/files/133547/OS-X-Privilege-Escalation.htmlhttp://support.apple.com/kb/HT204942http://www.securityfocus.com/bid/75493http://www.securitytracker.com/id/1032760https://www.exploit-db.com/exploits/38138/http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlhttp://packetstormsecurity.com/files/133547/OS-X-Privilege-Escalation.htmlhttp://support.apple.com/kb/HT204942http://www.securityfocus.com/bid/75493http://www.securitytracker.com/id/1032760https://www.exploit-db.com/exploits/38138/
2015-07-03
Published