CVE-2005-0716

Mac OS X 10.3.5-10.3.6 - Local Buffer Overflow via CF_CHARSET_PATH Environment Variable

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-0716. PoCs published by Kevin Finisterre, vade79.

AI-analyzed exploit summary This exploit targets a local privilege escalation vulnerability in macOS 10.3.7 by leveraging an environment variable overflow in the `authopen` utility. It uses a crafted `CF_CHARSET_PATH` and `APPL` environment variable to execute shellcode, granting root privileges.

Description

Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Kevin Finisterre · perllocalosx

https://www.exploit-db.com/exploits/2111

View Code ZIP pw:eip

This exploit targets a local privilege escalation vulnerability in macOS 10.3.7 by leveraging an environment variable overflow in the `authopen` utility. It uses a crafted `CF_CHARSET_PATH` and `APPL` environment variable to execute shellcode, granting root privileges.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: macOS 10.3.7 (Build 7T65) on PowerPC

No auth needed

Prerequisites: Local access to the target system · Presence of the vulnerable `authopen` utility

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by vade79 · clocalosx

https://www.exploit-db.com/exploits/896

View Code ZIP pw:eip

This exploit leverages a buffer overflow in the CF_CHARSET_PATH environment variable to execute arbitrary shellcode via the /usr/bin/su binary on MacOS X, granting root privileges. The user must press ENTER at the password prompt for successful exploitation.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: MacOS X (specific version not specified)

No auth needed

Prerequisites: Local access to the target system · Presence of vulnerable /usr/bin/su binary

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/13224

Vendor Advisory third-party-advisory x_refsource_idefense

http://www.idefense.com/application/poi/display?id=219&type=vulnerabilities

Scores

EPSS 0.0105

EPSS Percentile 59.8%

Details

Status published

Products (16)

apple/mac_os_x 10.3

apple/mac_os_x 10.3.1

apple/mac_os_x 10.3.2

apple/mac_os_x 10.3.3

apple/mac_os_x 10.3.4

apple/mac_os_x 10.3.5

apple/mac_os_x 10.3.6

apple/mac_os_x 10.3.7

apple/mac_os_x 10.3.8

apple/mac_os_x_server 10.3

... and 6 more

Published Mar 21, 2005

Tracked Since Feb 18, 2026