CVE-2015-7007
published 2015-10-23CVE-2015-7007: Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.34%
98.9th percentile
Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.0 | — |
| apple | os_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for use of the applescript:// URL scheme being invoked from a browser process (e.g., Safari), particularly with the 'action=new&script=' parameter, which is the delivery mechanism for this exploit. ↗
- →Detect JavaScript hooking of the cmd-key (keyCode 91) keydown event in browser pages, which is used to redirect the user to the malicious applescript:// URL upon pressing cmd-R. ↗
- →Alert on Script Editor being launched from Safari or a browser process, followed immediately by a 'killall Script Editor' shell command, which is characteristic of the exploit's payload delivery. ↗
- →Look for base64-encoded payloads piped to /bin/sh via AppleScript's 'do shell script' command, a pattern used by this exploit to execute arbitrary code. ↗
- →The Metasploit module targets Safari on Mac OS X specifically; browser User-Agent filtering for Safari on OS X combined with applescript:// navigation is a strong signal. ↗
- →The default payload used is cmd/unix/reverse_python; monitor for outbound Python-based reverse shell connections from Script Editor or child processes on macOS. ↗
- ·The exploit requires user interaction — the victim must press cmd-R in Safari while the malicious page is open. The attack hooks the cmd-key keydown event to trigger the applescript:// redirect, making it user-assisted rather than fully drive-by. ↗
- ·Gatekeeper must be disabled on the target system for the exploit to work without triggering an 'unidentified developer' prompt, limiting effectiveness on default-configured systems. ↗
- ·The default lure text displayed to the victim is 'This page has failed to load. Press cmd-R to refresh.' — defenders can use this as a content-based detection string in web proxies or endpoint monitoring. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89c9-qj32-x5pr: Script Editor in Apple OS X before 10
ghsa_unreviewed·2022-05-17
CVE-2015-7007 [HIGH] GHSA-89c9-qj32-x5pr: Script Editor in Apple OS X before 10
Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.
Apple
CVE-2015-7007: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
vendor_apple·CVSS 7.5
CVE-2015-7007 [HIGH] CVE-2015-7007: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Product: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
CVE: CVE-2015-7007
Component: CVE-ID
No detection rules found.
Exploit-DB
Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)
exploitdb·2015-10-26
CVE-2015-7007 Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)
Apple Safari - User-Assisted Applescript Exec Attack (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Safari User-Assisted Applescript Exec Attack',
'Description' => %q{
In versions of Mac OS X before 10.11.1, the applescript:// URL
scheme is provided, which opens the provided script in the Applescript
Editor. Pressing cmd-R in the Editor executes the code without any
additional confirmation from the user. By getting the user to press
cmd-R in Safari, and by hooking the cmd-key keypress event, a user
can be tricked into running arbitrary Applescript code.
Gatekeeper should be disabled from Security & Privacy in order to
avoid the unidentified D
Metasploit
Safari User-Assisted Applescript Exec Attack
metasploit
Safari User-Assisted Applescript Exec Attack
Safari User-Assisted Applescript Exec Attack
In versions of Mac OS X before 10.11.1, the applescript:// URL scheme is provided, which opens the provided script in the Applescript Editor. Pressing cmd-R in the Editor executes the code without any additional confirmation from the user. By getting the user to press cmd-R in Safari, and by hooking the cmd-key keypress event, a user can be tricked into running arbitrary Applescript code. Gatekeeper should be disabled from Security & Privacy in order to avoid the unidentified Developer prompt.
No writeups or analysis indexed.
http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlhttp://packetstormsecurity.com/files/134072/Safari-User-Assisted-Applescript-Exec-Attack.htmlhttp://www.rapid7.com/db/modules/exploit/osx/browser/safari_user_assisted_applescript_exechttps://support.apple.com/HT205375https://www.exploit-db.com/exploits/38535/http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.htmlhttp://packetstormsecurity.com/files/134072/Safari-User-Assisted-Applescript-Exec-Attack.htmlhttp://www.rapid7.com/db/modules/exploit/osx/browser/safari_user_assisted_applescript_exechttps://support.apple.com/HT205375https://www.exploit-db.com/exploits/38535/
2015-10-23
Published