CVE-2015-3673

Apple OS X Entitlements Rootpipe Privilege Escalation

Title source: metasploit

Description

Admin Framework in Apple OS X before 10.10.4 does not properly restrict the location of writeconfig clients, which allows local users to obtain root privileges by moving and then modifying Directory Utility.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalosx

https://www.exploit-db.com/exploits/38036

View Code ZIP pw:eip

metasploit WORKING POC GREAT

by Emil Kvarnhammar, joev · rubypocosx

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/rootpipe_entitlements.rb

View Code ZIP pw:eip

References (5)

[Patch, Vendor Advisory] http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html

[Vendor Advisory] http://support.apple.com/kb/HT204942

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1032760

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/75493

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/38036/

Scores

EPSS 0.0302

EPSS Percentile 86.6%

Details

CWE

CWE-264

Status published

Products (1)

apple/mac_os_x < 10.10.3

Published Jul 03, 2015

Tracked Since Feb 18, 2026