CVE-2015-5784
published 2015-08-17CVE-2015-5784: runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.03%
94.6th percentile
runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.10.4 | — |
| apple | os_x_yosemite_v10.10.5_and_security_update_2015-006 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for processes spawned by the suid-root binary 'runner' at the Install.framework path that exhibit unexpected privilege escalation or invoke Distributed Objects (DO) IPC with external callers. ↗
- →Detect calls to the IFInstallRunner Distributed Object method [IFInstallRunner makeReceiptDirAt:asRoot:] with asRoot set to 1 from unprivileged processes, which triggers privileged mkdir/chown/unlink operations. ↗
- →Alert on unexpected mkdir, chown (to root:admin), or unlink syscalls originating from the runner process (euid==0) on paths outside of normal install receipt directories, especially under /tmp. ↗
- →Look for root-owned temporary directories created in /tmp by the runner process, which is a side-effect artifact of the exploit. ↗
- →Detect the presence or execution of the PoC binary 'as_root_okay_then_poc' or source file 'as_root_okay_then_poc.m' on macOS systems. ↗
- ·The chown primitive sets ownership to root:admin (not root:root). Since regular macOS users are members of the admin group, this grants the attacker access to files previously belonging to a different group — detection should flag unexpected chown-to-admin-group events on sensitive paths. ↗
- ·The vulnerability is fixed in OS X Yosemite v10.10.5 and Security Update 2015-006. Systems running OS X prior to 10.10.5 remain vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2015-5784: OS X Yosemite v10.10.5 and Security Update 2015-006
vendor_apple·CVSS 9.3
CVE-2015-5784 [CRITICAL] CVE-2015-5784: OS X Yosemite v10.10.5 and Security Update 2015-006
Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006
Product: OS X Yosemite v10.10.5 and Security Update 2015-006
CVE: CVE-2015-5784
Component: CVE-ID
GHSA
GHSA-55gf-97v8-5hw3: runner in Install
ghsa_unreviewed·2022-05-17
CVE-2015-5784 [HIGH] GHSA-55gf-97v8-5hw3: runner in Install
runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Project0
Revisiting Apple IPC: (1) Distributed Objects - Project Zero
project_zero·2015-09-01
CVE-2015-5754 Revisiting Apple IPC: (1) Distributed Objects - Project Zero
Posted by Ian Beer of Google Project Zero
Earlier this year I gave a talk at the inaugural Jailbreak Security Summit entitled Auditing and Exploiting Apple IPC [ slides | video ]. As part of my research for that talk I wanted to find at least one bug involving each of the available IPC mechanisms on OS X/iOS; many of which remain unexplored and poorly-documented from a security perspective.
In the end I was only able to speak about three distinct bugs (involving XPC, MIG and raw mach messages) as the other bugs I’d found were still unpatched when I gave the talk. Apple have since fixed these remaining issues and in this short series of blog posts I’ll discuss in more depth some of these more obscure IPC mechanisms and exploit some more bugs.
In this first post we’ll look a series of
No detection rules found.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://www.securityfocus.com/bid/76340http://www.securitytracker.com/id/1033276https://support.apple.com/kb/HT205031https://www.exploit-db.com/exploits/38137/http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlhttp://www.securityfocus.com/bid/76340http://www.securitytracker.com/id/1033276https://support.apple.com/kb/HT205031https://www.exploit-db.com/exploits/38137/
2015-08-17
Published