cbcvebase.
CVE-2015-3704
published 2015-07-03

CVE-2015-3704: runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.30%
94.7th percentile
runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.10.3
appleos_x_yosemite_v10.10.4_and_security_update_2015-005

Detection & IOCsextracted from sources · hover to see the quote

path/System/Library/PrivateFrameworks/Install.framework/Resources/runner
commandseteuid(0);setegid(0);
  • Monitor for the suid-root binary 'runner' being executed by non-root/non-system processes, especially when spawning child processes with euid 0.
  • Detect calls to the 'setExternalAuthorizationRef' method on IFInstallRunner Distributed Object with a malformed/short auth_ref (e.g., all-'A' byte sequences) that cause AuthorizationCreateFromExternalForm to fail, leaving euid=0 without a valid auth reference.
  • Alert on 'runner' process spawning network-listening shells (e.g., bind shells via NSTask/runTaskSecurely) with euid 0, particularly on localhost ports.
  • Look for the syslog message 'Fatal error: unable to internalize authorization reference.' as an indicator that the error path in setExternalAuthorizationRef was triggered — this is the exact condition that leaves the privilege state machine out-of-sync.
  • Monitor Distributed Objects (DO) namespace registrations by processes spawned from /System/Library/PrivateFrameworks/Install.framework/Resources/runner, particularly names composed of pid + time() + random().
  • ·The privilege escalation only works if the attacker can interact with the runner binary's Distributed Object interface; the initial euid drop (seteuid(getuid())) is correctly performed, but the error path in setExternalAuthorizationRef fails to re-drop privileges, making the bug exploitable only after that specific error condition is triggered.
  • ·The exploit requires the attacker to first provide a name via stdin to NSConnection rootProxyForConnectionWithRegisteredName before the IFInstallRunner DO is set up; local access to the machine is a prerequisite.
  • ·The fix is present in OS X Yosemite v10.10.4 and Security Update 2015-005; systems running earlier versions remain vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.