CVE-2015-1130

What Is the Apple Admin Framework XPC Interface?

macOS uses XPC (Cross-Process Communication) as its primary inter-process communication framework for privileged operations. The Admin Framework's authorization daemon (authd) manages authentication requests — when an application needs administrator privileges, it communicates with authd via XPC to request authorization and prompt the user for their administrator password. This architecture is designed so that only applications that pass Apple's authorization checks can obtain admin rights.

XPC services in macOS can restrict which processes are allowed to connect to them based on code signing requirements, entitlements, and other access controls. A flaw in these access controls — allowing an unprivileged process to communicate with a privileged XPC service — can completely bypass the authentication prompt.

Overview

CVE-2015-1130 is an authentication bypass in the XPC implementation of Apple OS X's Admin Framework that allows a local, low-privileged user to obtain administrator privileges without providing an administrator password. By exploiting improper access control on a privileged XPC service, an unprivileged process can communicate with the service in a way that bypasses the authentication prompt and grants elevated rights. Patched in OS X Yosemite 10.10.3 (April 8, 2015).

Affected Versions

Technical Details

Root Cause: Insufficient XPC Client Validation in Admin Framework

The Admin Framework daemon — responsible for handling privilege escalation requests on OS X — exposed an XPC service that did not properly restrict which client processes could connect to it. The XPC service lacked adequate code signing validation or entitlement checks, meaning any local process (regardless of privilege level) could establish a connection.

Once connected, an unprivileged client could send XPC messages requesting administrator authorization without triggering the standard user-facing password prompt. The daemon would honor the authorization request — effectively granting admin rights to the requesting process — without verifying that the user had authenticated.

Privilege Escalation Path

1. Local user runs malicious application — no administrator password required to launch the app
2. App connects to Admin Framework XPC service — bypasses code signing or entitlement validation
3. App sends authorization request via XPC — the vulnerable daemon grants admin authorization without prompting for credentials
4. App obtains admin token — uses the authorization token to perform privileged operations: install software, modify system files, create SYSTEM-level processes

Attack Characteristics

Discovery

Patched by Apple in OS X 10.10.3 (Security Update 2015-004) in April 2015. The vulnerability was disclosed as part of Apple's security advisory for that update.

Exploitation Context

• Malware persistence: OS X malware families that gain initial execution as a standard user can exploit CVE-2015-1130 to escalate to administrator/root, enabling persistent installation in system directories, keychain access, and disabling security tools
• Targeted macOS attacks: Nation-state actors and criminal groups targeting macOS enterprise users used privilege escalation bugs to establish persistent, elevated footholds after initial compromise via phishing or malicious downloads
• Jailbreak and adware use: The reliable and silent nature of this privilege escalation (no password prompt) made it attractive for adware and potentially unwanted application (PUA) authors who bundle such exploits to perform silent system modifications
• CISA KEV (2022): Added February 2022, confirming active exploitation against macOS systems in enterprise environments

Remediation

1. Update to OS X 10.10.3 or apply Security Update 2015-004 for Mavericks/Mountain Lion. Any macOS version released after April 2015 includes this fix.

2. Update to current macOS — any macOS version from 10.10.3 onward resolves this specific bug; newer macOS versions include additional security hardening around XPC and privilege escalation paths.

3. Enforce Gatekeeper — require App Store or identified developer signatures to prevent untrusted applications from executing and triggering local exploits.

4. Enable FileVault and System Integrity Protection (SIP) — SIP (introduced in OS X 10.11 El Capitan) adds protections that significantly limit the impact of privilege escalation even if a bypass is found.

5. Monitor for privilege escalation — use endpoint security tools that alert on unexpected privilege escalation events or processes unexpectedly running as root.