Unrated severityNVD Advisory· Published Aug 17, 2015· Updated May 6, 2026

CVE-2015-5784

Description

runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A privilege escalation vulnerability in Apple OS X's Install.framework runner allows a crafted app to execute code with root privileges.

Vulnerability

The vulnerability resides in the Install.framework component of Apple OS X, specifically in the runner binary located at /System/Library/PrivateFrameworks/Install.framework/Resources/runner. This binary is setuid root and exports the Distributed Object interface IFInstallRunner, which includes the method [IFInstallRunner makeReceiptDirAt:asRoot:]. When invoked with the asRoot parameter set to 1, the method attempts to create directories under a user-supplied path without proper privilege dropping. Affected versions include OS X Mavericks v10.9.5 and OS X Yosemite v10.10 through v10.10.4; it is fixed in OS X Yosemite v10.10.5 [1][2].

Exploitation

An attacker requires the ability to run a crafted app on the local system. The attacker can exploit the Distributed Objects IPC mechanism: instead of passing a plain NSString as the path argument, the attacker passes a custom object that behaves like a string but allows full control over method calls back in the attacker's process. By implementing specific selectors on this custom object, the attacker can trigger calls to mkdir, chown, and unlink with effective UID 0. The chown call sets the ownership to root:admin, and since regular OS X users typically belong to the admin group, this can grant the attacker write access to previously restricted files [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code with root (euid 0) privileges. This includes creating arbitrary directories, changing file ownership (granting the attacker read-write access via the admin group), and deleting files. The ultimate outcome is full privilege escalation to root on the affected system [2].

Mitigation

Apple released the fix in OS X Yosemite v10.10.5 and Security Update 2015-006, available via the Apple Support page [1]. Users should update to the latest version. There is no known workaround; the vulnerable runner binary is a standard system component and cannot be safely removed. This CVE is not listed on the CISA KEV catalog as of the current date.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Mac Os X
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Range: <=10.10.4
Apple Inc./OS Xllm-fuzzy
Range: <10.10.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apple.com/archives/security-announce/2015/Aug/msg00001.htmlnvdVendor Advisory
support.apple.com/kb/HT205031nvdVendor Advisory
www.securityfocus.com/bid/76340nvd
www.securitytracker.com/id/1033276nvd
www.exploit-db.com/exploits/38137/nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.022
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000