cbcvebase.
CVE-2015-5784
published 2015-08-17

CVE-2015-5784: runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.03%
94.6th percentile
runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.10.4
appleos_x_yosemite_v10.10.5_and_security_update_2015-006

Detection & IOCsextracted from sources · hover to see the quote

path/System/Library/PrivateFrameworks/Install.framework/Resources/runner
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38137.zip
filenameas_root_okay_then_poc
filenameas_root_okay_then_poc.m
  • Monitor for processes spawned by the suid-root binary 'runner' at the Install.framework path that exhibit unexpected privilege escalation or invoke Distributed Objects (DO) IPC with external callers.
  • Detect calls to the IFInstallRunner Distributed Object method [IFInstallRunner makeReceiptDirAt:asRoot:] with asRoot set to 1 from unprivileged processes, which triggers privileged mkdir/chown/unlink operations.
  • Alert on unexpected mkdir, chown (to root:admin), or unlink syscalls originating from the runner process (euid==0) on paths outside of normal install receipt directories, especially under /tmp.
  • Look for root-owned temporary directories created in /tmp by the runner process, which is a side-effect artifact of the exploit.
  • Detect the presence or execution of the PoC binary 'as_root_okay_then_poc' or source file 'as_root_okay_then_poc.m' on macOS systems.
  • ·The chown primitive sets ownership to root:admin (not root:root). Since regular macOS users are members of the admin group, this grants the attacker access to files previously belonging to a different group — detection should flag unexpected chown-to-admin-group events on sensitive paths.
  • ·The vulnerability is fixed in OS X Yosemite v10.10.5 and Security Update 2015-006. Systems running OS X prior to 10.10.5 remain vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.