Local Privilege Escalation in Apple OS X rsh remote_cmds via Environment Variables

Successful exploitation results in full local privilege escalation to root on affected OS X systems. An attacker who already has code execution as an unprivileged local user can bypass normal privilege boundaries, install persistence, modify protected system locations, load additional malware components, disable or evade security tooling, and take complete control of the host. The provided context specifically notes use of this vulnerability by FinSpy malware as part of a first-stage root acquisition process.

Because this is a local privilege escalation, mitigation depends on reducing opportunities for local code execution and limiting access to the vulnerable binary. Restrict untrusted local user access, prevent execution of unapproved binaries and scripts with application control, monitor for abnormal invocation of setuid utilities such as rsh, and harden systems by minimizing legacy services and components. If rsh/remote_cmds is not needed, disabling or removing access to it reduces exposure. Detection opportunities include monitoring for suspicious environment-variable manipulation around privileged process launches.

Upgrade affected Apple OS X systems to OS X 10.11 or later, as the vulnerability affects versions before 10.11. Apply all relevant Apple security updates so the vulnerable rsh/remote_cmds component is replaced with the patched version. Where operationally feasible, remove or disable legacy remote_cmds components and setuid-root utilities that are not required.