CVE-2015-5784 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Source: https://code.google.com/p/google-security-research/issues/detail?id=477 Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner This binary vends the IFInstallRunner Distributed Object, which has the following method: [IFInstallRunner makeReceiptDirAt:asRoot:] If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more! This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks into my process :) In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process. By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0. We can completely control the string passed to mkdir and unlink. In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this will give the user access to files which previously belonged to a different group. To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various combinations of selectors and fail at the right points: InitialPathObject = the object we pass to the makeReceiptDirAt selector overrides: - stringByAppendingPathComponent * will be called twice: * first time: return an NSString* pointing to a non-existant file * second time: return SecondFakeStringObject SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent overrides: - length * will be called by the NSFileManager? * return length of path to non-existant file - getCharacters: * will be called by the NSFileManager? * return character of the non-existant file path - fileSystemRepresentation * for MKDIR: * first time: return char* of the target path * second time: return char* to non-existant file * third time: return char* to non-existant file * for CHOWN: * first time: return char* of temporary directory to create and ignore * second time: return char* of target path * for UNLINK: * first time: return char* of temporary directory to create and ignore * second time: return char* to non-existant file * third time: return char* to path to unlink - stringByAppendingPathComponent: * for MKDIR: * not called * for CHOWN: * return NSString* pointing to file which does exist // to bail out before creating /Receipts * for UNLINK * not called build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target> note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38137.zip