Vulnerabilities > CVE-2015-1130 - 7PK - Security Features vulnerability in Apple mac OS X

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
apple
CWE-254
nessus
exploit available
metasploit
NVD
Published: 2015-04-10
Updated: 2015-09-17

Summary

The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.

Vulnerable Configurations

Part Description Count
OS
Apple
89

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionMac OS X rootpipe Local Privilege Escalation. CVE-2015-1130. Local exploit for osx platform
    fileexploits/osx/local/36692.py
    idEDB-ID:36692
    last seen2016-02-04
    modified2015-04-09
    platformosx
    port
    published2015-04-09
    reporterEmil Kvarnhammar
    sourcehttps://www.exploit-db.com/download/36692/
    titleMac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe Local Privilege Escalation
    typelocal
  • descriptionMac OS X "Rootpipe" Privilege Escalation. CVE-2015-1130. Local exploit for osx platform
    idEDB-ID:36745
    last seen2016-02-04
    modified2015-04-13
    published2015-04-13
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/36745/
    titleMac OS X - "Rootpipe" Privilege Escalation

Metasploit

descriptionThis module exploits a hidden backdoor API in Apple's Admin framework on Mac OS X to escalate privileges to root, dubbed "Rootpipe." This module was tested on Yosemite 10.10.2 and should work on previous versions. The patch for this issue was not backported to older releases. Note: you must run this exploit as an admin user to escalate to root.
idMSF:EXPLOIT/OSX/LOCAL/ROOTPIPE
last seen2020-06-10
modified2018-11-16
published2015-04-09
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/rootpipe.rb
titleApple OS X Rootpipe Privilege Escalation

Nessus

NASL familyMacOS X Local Security Checks
NASL idMACOSX_10_10_3.NASL
descriptionThe remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.3. It is, therefore, affected multiple vulnerabilities in the following components : - Admin Framework - Apache - ATS - Certificate Trust Policy - CFNetwork HTTPProtocol - CFNetwork Session - CFURL - CoreAnimation - FontParser - Graphics Driver - Hypervisor - ImageIO - IOHIDFamily - Kernel - LaunchServices - libnetcore - ntp - Open Directory Client - OpenLDAP - OpenSSL - PHP - QuickLook - SceneKit - ScreenSharing - Security - Code SIgning - UniformTypeIdentifiers - WebKit Note that successful exploitation of the most serious issues can result in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id82699
published2015-04-10
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/82699
titleMac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(82699);
  script_version("1.20");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id(
    "CVE-2013-0118",
    "CVE-2013-5704",
    "CVE-2013-6438",
    "CVE-2013-6712",
    "CVE-2014-0098",
    "CVE-2014-0117",
    "CVE-2014-0118",
    "CVE-2014-0207",
    "CVE-2014-0226",
    "CVE-2014-0231",
    "CVE-2014-0237",
    "CVE-2014-0238",
    "CVE-2014-2497",
    "CVE-2014-3478",
    "CVE-2014-3479",
    "CVE-2014-3480",
    "CVE-2014-3487",
    "CVE-2014-3523",
    "CVE-2014-3538",
    "CVE-2014-3569",
    "CVE-2014-3570",
    "CVE-2014-3571",
    "CVE-2014-3572",
    "CVE-2014-3587",
    "CVE-2014-3597",
    "CVE-2014-3668",
    "CVE-2014-3669",
    "CVE-2014-3670",
    "CVE-2014-3710",
    "CVE-2014-3981",
    "CVE-2014-4049",
    "CVE-2014-4380",
    "CVE-2014-4404",
    "CVE-2014-4405",
    "CVE-2014-4670",
    "CVE-2014-4698",
    "CVE-2014-5120",
    "CVE-2014-8275",
    "CVE-2014-8830",
    "CVE-2014-9298",
    "CVE-2015-0204",
    "CVE-2015-1069",
    "CVE-2015-1088",
    "CVE-2015-1089",
    "CVE-2015-1091",
    "CVE-2015-1093",
    "CVE-2015-1095",
    "CVE-2015-1096",
    "CVE-2015-1098",
    "CVE-2015-1099",
    "CVE-2015-1100",
    "CVE-2015-1101",
    "CVE-2015-1102",
    "CVE-2015-1103",
    "CVE-2015-1104",
    "CVE-2015-1105",
    "CVE-2015-1117",
    "CVE-2015-1118",
    "CVE-2015-1130",
    "CVE-2015-1131",
    "CVE-2015-1132",
    "CVE-2015-1133",
    "CVE-2015-1134",
    "CVE-2015-1135",
    "CVE-2015-1136",
    "CVE-2015-1137",
    "CVE-2015-1138",
    "CVE-2015-1139",
    "CVE-2015-1140",
    "CVE-2015-1141",
    "CVE-2015-1142",
    "CVE-2015-1143",
    "CVE-2015-1144",
    "CVE-2015-1145",
    "CVE-2015-1146",
    "CVE-2015-1147",
    "CVE-2015-1148",
    "CVE-2015-1160",
    "CVE-2015-1545",
    "CVE-2015-1546"
  );
  script_bugtraq_id(
    58128,
    64018,
    66233,
    66303,
    66550,
    67759,
    67765,
    67837,
    68007,
    68120,
    68238,
    68239,
    68241,
    68243,
    68348,
    68511,
    68513,
    68678,
    68740,
    68742,
    68745,
    68747,
    69322,
    69325,
    69375,
    69938,
    69942,
    69947,
    70611,
    70665,
    70666,
    70807,
    71934,
    71935,
    71936,
    71937,
    71939,
    71942,
    72328,
    72519,
    72584,
    73176,
    73981,
    73982,
    73984
  );
  script_xref(name:"CERT", value:"243585");
  script_xref(name:"APPLE-SA", value:"APPLE-SA-2015-04-08-2");

  script_name(english:"Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)");
  script_summary(english:"Checks the version of Mac OS X.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is missing a Mac OS X update that fixes multiple
security vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of Mac OS X 10.10.x that is prior
to 10.10.3. It is, therefore, affected multiple vulnerabilities in the
following components :

  - Admin Framework
  - Apache
  - ATS
  - Certificate Trust Policy
  - CFNetwork HTTPProtocol
  - CFNetwork Session
  - CFURL
  - CoreAnimation
  - FontParser
  - Graphics Driver
  - Hypervisor
  - ImageIO
  - IOHIDFamily
  - Kernel
  - LaunchServices
  - libnetcore
  - ntp
  - Open Directory Client
  - OpenLDAP
  - OpenSSL
  - PHP
  - QuickLook
  - SceneKit
  - ScreenSharing
  - Security - Code SIgning
  - UniformTypeIdentifiers
  - WebKit

Note that successful exploitation of the most serious issues can
result in arbitrary code execution.");
  script_set_attribute(attribute:"see_also", value:"http://support.apple.com/en-us/HT204659");
  # https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf90c4cb");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mac OS X 10.10.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1132");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Apple OS X Rootpipe Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/10");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl");
  script_require_ports("Host/MacOSX/Version", "Host/OS");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

os = get_kb_item("Host/MacOSX/Version");
if (!os)
{
  os = get_kb_item_or_exit("Host/OS");
  if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X");

  c = get_kb_item("Host/OS/Confidence");
  if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence.");
}
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

match = eregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os);
if (isnull(match)) exit(1, "Failed to parse the Mac OS X version ('" + os + "').");

version = match[1];
if (!ereg(pattern:"^10\.10([^0-9]|$)", string:version)) audit(AUDIT_OS_NOT, "Mac OS X 10.10", "Mac OS X "+version);

fixed_version = "10.10.3";
if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
{
  if (report_verbosity > 0)
    {
      report = '\n  Installed version : ' + version +
               '\n  Fixed version     : ' + fixed_version +
               '\n';
      security_hole(port:0, extra:report);
    }
    else security_hole(0);
    exit(0);
}
else exit(0, "The host is not affected as it is running Mac OS X "+version+".");

Packetstorm

Saint

bid73982
descriptionOS X rootpipe privilege elevation
idmisc_macosx_version
osvdb120418
titleos_x_rootpipe
typelocal

Seebug

bulletinFamilyexploit
description<p>漏洞名称:Apple OS X Admin Framework 安全漏洞<br></p><p>紧急程度:高危<br></p><p>漏洞类型: 本地提权<br></p><p>详细信息:</p><p>Apple OS X是美国苹果(Apple)公司为Mac计算机所开发的一套专用操作系统。</p><p>Apple OS X 10.10.2及之前版本的Admin Framework中的XPC实现过程中存在安全漏洞。本地攻击者可利用该漏洞绕过身份验证,获取管理员权限。</p><div class="simditor-table"><br></div>
idSSV:89389
last seen2017-11-19
modified2015-09-10
published2015-09-10
reporterpublic_exp
sourcehttps://www.seebug.org/vuldb/ssvid-89389
titleMac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe 本地提权漏洞

The Hacker News

idTHN:AC9FE9EB5F1C5B026F0BCF1D4D883160
last seen2018-01-27
modified2015-04-21
published2015-04-20
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2015/04/rootpipe-mac-os-x-vulnerability.html
titleApple Failed to Patch Rootpipe Mac OS X Yosemite Vulnerability

References