CVE-2015-5754
published 2015-08-17CVE-2015-5754: Race condition in runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 allows attackers to execute arbitrary code…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
7.42%
93.7th percentile
Race condition in runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages incorrect privilege dropping associated with a locking error.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.10.4 | — |
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multiple simultaneous Distributed Objects connections to IFInstallRunner, which is the exploitation primitive for this race condition. ↗
- →Alert on unexpected privilege escalation (euid 0) in processes connected via Distributed Objects to the Install.framework runner SUID binary without a valid authorization reference. ↗
- →Detect calls to runTaskSecurely from a non-privileged process context via the Install.framework runner, especially when a root shell is spawned as a child process. ↗
- →Flag execution of the Install.framework SUID root runner binary (runner) by unprivileged processes, particularly when invoked with crafted arguments or from unexpected parent processes. ↗
- ·Exploitation requires macOS versions prior to OS X Yosemite 10.10.5; systems patched with OS X Yosemite v10.10.5 or Security Update 2015-006 are not vulnerable. ↗
- ·The race condition is process-level (BSD privileges are per-process), so exploitation requires the attacker to win a timing window between seteuid(0) and privilege drop within the same process. ↗
- ·The PoC must be built from source using the provided Makefile and run with the full path to a localhost shell, meaning pre-built binaries are not distributed — detection should account for local compilation artifacts. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2015-5754: OS X Yosemite v10.10.5 and Security Update 2015-006
vendor_apple·CVSS 9.3
CVE-2015-5754 [CRITICAL] CVE-2015-5754: OS X Yosemite v10.10.5 and Security Update 2015-006
Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006
Product: OS X Yosemite v10.10.5 and Security Update 2015-006
CVE: CVE-2015-5754
Component: CVE-ID
GHSA
GHSA-hh9w-r9fj-gh4v: Race condition in runner in Install
ghsa_unreviewed·2022-05-17
CVE-2015-5754 [HIGH] CWE-362 GHSA-hh9w-r9fj-gh4v: Race condition in runner in Install
Race condition in runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages incorrect privilege dropping associated with a locking error.
Project0
Revisiting Apple IPC: (1) Distributed Objects - Project Zero
project_zero·2015-09-01
CVE-2015-5754 Revisiting Apple IPC: (1) Distributed Objects - Project Zero
Posted by Ian Beer of Google Project Zero
Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC [ slides | video ]. As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on OS X/iOS; many of which remain unexplored and poorly-documented from a security perspective.
In the end I was only able to speak about three distinct bugs (involving XPC, MIG and raw mach messages) as the other bugs I’d found were still unpatched when I gave the talk. Apple have since fixed these remaining issues and in this short series of blog posts I’ll discuss in more depth some of these more obscure IPC mechanisms and exploit some more bugs.
In this first post we’ll look a series of
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://packetstormsecurity.com/files/133550/OS-X-Suid-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/76340http://www.securitytracker.com/id/1033276https://support.apple.com/kb/HT205031https://www.exploit-db.com/exploits/38136/http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://packetstormsecurity.com/files/133550/OS-X-Suid-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/76340http://www.securitytracker.com/id/1033276https://support.apple.com/kb/HT205031https://www.exploit-db.com/exploits/38136/
2015-08-17
Published