cbcvebase.
CVE-2015-7007
published 2015-10-23

CVE-2015-7007: Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.34%
98.9th percentile
Script Editor in Apple OS X before 10.11.1 allows remote attackers to bypass an intended user-confirmation requirement for AppleScript execution via unspecified vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x<= 10.11.0
appleos_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20

Detection & IOCsextracted from sources · hover to see the quote

urlapplescript://com.apple.scripteditor?action=new&script=
commanddo shell script "echo <base64> | base64 --decode | /bin/sh"
commandkillall "Script Editor"; nohup <payload>
path/.Trashes
  • Monitor for use of the applescript:// URL scheme being invoked from a browser process (e.g., Safari), particularly with the 'action=new&script=' parameter, which is the delivery mechanism for this exploit.
  • Detect JavaScript hooking of the cmd-key (keyCode 91) keydown event in browser pages, which is used to redirect the user to the malicious applescript:// URL upon pressing cmd-R.
  • Alert on Script Editor being launched from Safari or a browser process, followed immediately by a 'killall Script Editor' shell command, which is characteristic of the exploit's payload delivery.
  • Look for base64-encoded payloads piped to /bin/sh via AppleScript's 'do shell script' command, a pattern used by this exploit to execute arbitrary code.
  • The Metasploit module targets Safari on Mac OS X specifically; browser User-Agent filtering for Safari on OS X combined with applescript:// navigation is a strong signal.
  • The default payload used is cmd/unix/reverse_python; monitor for outbound Python-based reverse shell connections from Script Editor or child processes on macOS.
  • ·The exploit requires user interaction — the victim must press cmd-R in Safari while the malicious page is open. The attack hooks the cmd-key keydown event to trigger the applescript:// redirect, making it user-assisted rather than fully drive-by.
  • ·Gatekeeper must be disabled on the target system for the exploit to work without triggering an 'unidentified developer' prompt, limiting effectiveness on default-configured systems.
  • ·The default lure text displayed to the victim is 'This page has failed to load. Press cmd-R to refresh.' — defenders can use this as a content-based detection string in web proxies or endpoint monitoring.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.