CVE-2015-3704 Detail

CVE-2015-3704

OWSAP

A01-Broken Access Control

EPSS

0.64%V3

Vector

Network

Published

2015-07-02
23h00 +00:00

Modified

2017-09-21
07h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-264	Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	9.3		AV:N/AC:M/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 38138

Publication date : 2015-09-09 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=314 The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root: -rwsr-sr-x 1 root wheel 113K Oct 1 2014 runner Taking a look at it we can see that it's vending an objective-c Distributed Object :) [ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ] The main function immediately temporarily drops privs doing seteuid(getuid()); setegid(getgid()); then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that name in the DO namespace and create a proxy to connect to it via. It then allocates an IFInstallRunner which in its init method vends itself using a name made up of its pid, time() and random() It then calls the setRunnerConnectionName method on the proxy to tell it the IFInstallRunner's DO name so that whoever ran the runner can connect to the IFInstallRunner. The IFRunnerMessaging protocol tells us the methods and prototypes of the remote methods we can invoke on the IFInstallRunner. Most of the methods begin with a call to processKey which will set the euid back to root if the process can provide a valid admin authorization reference from authd (I'm not totally sure how that bit works yet, but it's not important for the bug.) Otherwise the euid will remain equal to the uid and the methods (like movePath, touchPath etc) will only run with the privs of the user. The methods then mostly end with a call to restoreUIDs which will drop back to euid==uid if we did temporarily regain root privs (with the auth ref.) Not all methods we can invoke are like that though... IFInstallRunner setExternalAuthorizationRef calls seteuid(0);setegid(0); to regain root privs without requiring any auth. It then calls AuthorizationCreateFromExternalForm passing the bytes of an NSData we give it. If that call doesn't return 0 then the error branch calls syslog with the string: "Fatal error: unable to internalize authorization reference." but there's actually nothing fatal, it just returns from the method, whereas the success branch goes on to restore euid and egid, which means that if we can get AuthorizationCreateFromExternalForm to fail then we can get the priv dropping-regaining state machine out-of-sync :) Getting AuthorizationCreateFromExternalForm to fail is trivial, just provide a malformed auth_ref (like "AAAAAAAAAAAAAAAAAAA" ) Now the next method we invoke will run with euid 0 even without having the correct auth ref :) This PoC first calls setBatonPath to point the baton executable path to a localhost bind-shell then triggers the bug and calls runTaskSecurely which will create an NSTask and launch the bind-shell with euid 0 :) We can then just nc to it and get a root shell tl;dr: the error path in setExternalAuthorizationRef should either be fatal or drop privs! Make sure you have the latest xcode installed and run the get_shell.sh script to build and run the PoC. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38138.zip