CVE-2015-3673

Apple OS X Entitlements Rootpipe Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2015-3673. PoCs published by Metasploit, Emil Kvarnhammar, joev, including Metasploit module exploits/osx/local/rootpipe_entitlements.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-3673 (Rootpipe) to achieve local privilege escalation on OS X by injecting code into a process with the 'admin.writeconfig' entitlement. It copies and modifies the Directory Utility.app to execute a malicious payload with root privileges.

Description

Admin Framework in Apple OS X before 10.10.4 does not properly restrict the location of writeconfig clients, which allows local users to obtain root privileges by moving and then modifying Directory Utility.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalosx
https://www.exploit-db.com/exploits/38036

This Metasploit module exploits CVE-2015-3673 (Rootpipe) to achieve local privilege escalation on OS X by injecting code into a process with the 'admin.writeconfig' entitlement. It copies and modifies the Directory Utility.app to execute a malicious payload with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apple OS X 10.9-10.10.3
Auth required
Prerequisites: Admin access on the target system · Vulnerable OS X version (10.9-10.10.3)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Emil Kvarnhammar, joev · rubypocosx
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/rootpipe_entitlements.rb

This Metasploit module exploits CVE-2015-3673, a privilege escalation vulnerability in Apple OS X (10.9-10.10.3), by injecting code into a process with the 'admin.writeconfig' entitlement. It copies and modifies the Directory Utility.app to execute a malicious payload, achieving root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apple OS X 10.9-10.10.3
Auth required
Prerequisites: Admin group membership · Writable directory access
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/75493
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1032760
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38036/
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT204942

Scores

EPSS 0.0566
EPSS Percentile 92.0%

Details

CWE
CWE-264
Status published
Products (1)
apple/mac_os_x < 10.10.3
Published Jul 03, 2015
Tracked Since Feb 18, 2026