CVE-2015-5889

Vulnerability

In Apple OS X versions before 10.11, the rsh binary (part of the remote_cmds component) uses execv() to launch rlogin without dropping privileges or clearing the environment [1]. This allows environment variables such as MallocLogFile to be passed through. The libmalloc library interprets MallocLogFile to log allocations to a file, and it does not clear the environment like libdyld does for DYLD_* variables. An attacker can set MallocLogFile to a location like /etc/crontab to create or overwrite a root-owned file with controlled contents [3].

Exploitation

A local attacker with a regular user account can exploit this by setting the environment variable MallocLogFile to /etc/crontab and then executing rsh with only a host argument (e.g., rsh localhost). The rsh binary, being setuid-root, does not drop privileges before calling execv() on rlogin. The libmalloc library in the rlogin process writes malloc log output to the specified file, with the attacker controlling the format via malloc calls, resulting in a crafted crontab entry. The attacker then uses sudo with the new crontab to gain a root shell [2][3][4]. No authentication or user interaction is required beyond running the exploit.

Impact

Successful exploitation allows a local unprivileged user to escalate privileges to root. The attacker can execute arbitrary commands with root privileges, leading to full compromise of the system's confidentiality, integrity, and availability [3][4].

Mitigation

Apple addressed this issue in OS X El Capitan v10.11, released on September 30, 2015 [1]. Users should update to OS X 10.11 or later. For unsupported versions (e.g., 10.9.5 and 10.10.5), no patch is available; removing the setuid bit from /usr/bin/rsh may reduce risk, but complete mitigation requires upgrading the OS [2][4].