CVE-2015-3704

Vulnerability

The runner binary in /System/Library/PrivateFrameworks/Install.framework/Resources is setuid root on OS X before 10.10.4. It temporarily drops privileges via seteuid(getuid()) and then reads a Distributed Object name from stdin. It creates an IFInstallRunner object and vends it via DO. The setExternalAuthorizationRef method in the IFRunnerMessaging protocol does not require proper authorization; it directly regains root privileges by calling seteuid(0); setegid(0); and then calls AuthorizationCreateFromExternalForm. This allows an attacker to execute arbitrary code as root. [1][2]

Exploitation

An attacker needs to be able to run a crafted application on the target system. The exploitation involves triggering the runner binary to connect to a malicious DO service that provides a proxy, then invoking setExternalAuthorizationRef on the IFInstallRunner object. This regains root privileges without requiring any valid authorization reference. With root privileges, the attacker can then call other methods like movePath, touchPath, or installPackage to perform arbitrary file operations. [2]

Impact

Successful exploitation allows a local attacker to execute arbitrary code with root privileges, leading to full compromise of the system. The attacker can install software, modify system files, or create new admin accounts. [2]

Mitigation

Apple addressed this issue in OS X Yosemite v10.10.4 and Security Update 2015-005. Users should update to 10.10.4 or later. No workarounds are available for unpatched systems. [1]