Mac OS X rsh Environment Variables Privilege Elevation

Added: 10/15/2015
CVE: CVE-2015-5889


The remote_cmds component of Apple Mac OS X contains an rsh binary program that allows a user to execute commands on another computer across a computer network.


The rsh binary in the remote_cmds component of Mac OS X versions prior to 10.11 allows an unprivileged user to gain root access by using specially crafted environment variables when using rsh.


Upgrade to Apple Mac OS X El Capitan v10.11 or higher.



Exploit works on Mac OS X 10.9.5 and 10.10.5 and requires an existing unprivileged shell connection to the target.

If the exploit succeeds, the /etc/crontab and /etc/sudoers files should be cleaned up on the target.


Mac OS X

Back to exploit index