CVE-2015-5889

Apple OS X <10.11 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-5889. PoCs published by Metasploit, rebel, rebel, shandelman116, including Metasploit module exploits/osx/local/rsh_libmalloc.

AI-analyzed exploit summary This Metasploit module exploits CVE-2015-5889 to escalate privileges on Mac OS X 10.9.5 to 10.10.5 by manipulating the sudoers file via rsh and malloc log files. It writes a cron job to modify sudoers, allowing passwordless sudo access.

Description

rsh in the remote_cmds component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving environment variables.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalosx
https://www.exploit-db.com/exploits/38540

This Metasploit module exploits CVE-2015-5889 to escalate privileges on Mac OS X 10.9.5 to 10.10.5 by manipulating the sudoers file via rsh and malloc log files. It writes a cron job to modify sudoers, allowing passwordless sudo access.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Mac OS X 10.9.5-10.10.5
No auth needed
Prerequisites: Local access to a vulnerable Mac OS X system · Ruby installed on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by rebel · pythonlocalosx
https://www.exploit-db.com/exploits/38371

This exploit leverages a vulnerability in OS X's issetugid() function combined with rsh and libmalloc to achieve local privilege escalation. It manipulates environment variables to inject a cron job that modifies /etc/sudoers, granting passwordless sudo access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apple OS X 10.9.5 / 10.10.5
No auth needed
Prerequisites: Local access to the target system · rsh must be present and executable
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by rebel, shandelman116 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/rsh_libmalloc.rb

This Metasploit module exploits a privilege escalation vulnerability in Mac OS X 10.9.5 to 10.10.5 by manipulating the rsh and malloc log files to write to the sudoers file, allowing passwordless sudo access.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Mac OS X 10.9.5 to 10.10.5
No auth needed
Prerequisites: Local access to a vulnerable Mac OS X system · Writable directory
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033703
Vendor Advisory vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2015/Oct/5
Vendor Advisory x_refsource_confirm
https://support.apple.com/HT205267
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38540/
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76908
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/38371/

Scores

EPSS 0.0509
EPSS Percentile 91.2%

Details

CWE
CWE-264
Status published
Products (1)
apple/mac_os_x < 10.10.5
Published Oct 09, 2015
Tracked Since Feb 18, 2026