Skip to content
Threat Feed
critical advisory

macOS Local Privilege Escalation via CVE-2017-7170

CVE-2017-7170 is a local privilege escalation vulnerability in macOS stemming from insecure use of the `AuthorizationExecuteWithPrivileges` API, allowing unprivileged users to execute arbitrary code as root by sniffing authorization references.

CVE-2017-7170 is a now-patched, but historically significant, local privilege escalation vulnerability affecting macOS. The vulnerability resides in the insecure implementation of the AuthorizationExecuteWithPrivileges API. This API, intended for executing binaries with elevated privileges after user authentication, lacks proper validation of the binary path. An unprivileged attacker could potentially manipulate the binary executed via AuthorizationExecuteWithPrivileges, or more subtly, sniff the externalized authorization reference passed to security_authtrampoline and reuse it to perform actions as root. The issue was disclosed in March 2020, although the CVE was assigned earlier. While this vulnerability has been patched, understanding its exploitation provides valuable insight into macOS security mechanisms and potential attack vectors.

Attack Chain

  1. An unprivileged user executes a legitimate application (e.g., an installer) that utilizes the AuthorizationExecuteWithPrivileges API.
  2. The AuthorizationExecuteWithPrivileges function externalizes the authorization reference via AuthorizationMakeExternalForm creating an AuthorizationExternalForm.
  3. The application invokes AuthorizationExecuteWithPrivilegesExternalForm, passing the externalized authorization reference.
  4. AuthorizationExecuteWithPrivilegesExternalForm executes the setuid binary /usr/libexec/security_authtrampoline.
  5. The security_authtrampoline process invokes AuthorizationCopyRights, generating an XPC message to authd.
  6. The system prompts the user for authentication via the Security Agent.
  7. An attacker sniffs the externalized authorization reference passed to the security_authtrampoline process.
  8. The attacker re-uses the captured authorization reference to execute arbitrary commands with root privileges, bypassing intended security controls.

Impact

Successful exploitation of CVE-2017-7170 allows a local, unprivileged attacker to gain complete control of the affected macOS system. This could lead to arbitrary code execution as root, installation of malware, data theft, or denial of service. While the vulnerability has been patched, systems that have not been updated remain vulnerable.

Recommendation

  • Deploy the Sigma rule “Detect Execution of Security Authtrampoline” to identify potential exploitation attempts even on patched systems by monitoring for unusual invocations of /usr/libexec/security_authtrampoline.
  • Enable process monitoring with command-line argument logging to facilitate the detection of suspicious activity related to privilege escalation (reference the logsource in the Sigma rules).
  • While a direct fix isn’t possible given the patch status, monitor for applications using deprecated APIs such as AuthorizationExecuteWithPrivileges within your environment.

Detection coverage 2

Detect Execution of Security Authtrampoline

medium

Detects execution of the security_authtrampoline binary, which is used by AuthorizationExecuteWithPrivileges. This can indicate privilege escalation attempts, especially if the parent process is unexpected.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, macos

Detect Suspicious File Creation in /tmp Followed by Security Authtrampoline Execution

high

This rule detects a suspicious pattern where a file is created in /tmp and then security_authtrampoline is executed shortly after. This behavior could indicate an attempt to exploit a vulnerability by writing data to a temporary file that is later used by the privileged process.

sigma tactics: privilege_escalation techniques: T1068 sources: process_creation, macos

Detection queries are available on the platform. Get full rules →