Mac OS X rsh Environment Variables Privilege Elevation

Added: 10/15/2015
CVE: CVE-2015-5889

Background

The remote_cmds component of Apple Mac OS X contains an rsh binary program that allows a user to execute commands on another computer across a computer network.

Problem

The rsh binary in the remote_cmds component of Mac OS X versions prior to 10.11 allows an unprivileged user to gain root access by using specially crafted environment variables when using rsh.

Resolution

Upgrade to Apple Mac OS X El Capitan v10.11 or higher.

References

https://support.apple.com/en-us/HT205267

Limitations

Exploit works on Mac OS X 10.9.5 and 10.10.5 and requires an existing unprivileged shell connection to the target.

If the exploit succeeds, the /etc/crontab and /etc/sudoers files should be cleaned up on the target.

Platforms

Mac OS X

Back to exploit index