Today, @osxreverser on Twitter announced their analysis of Apple's OS X 10.10.3 fix for CVE-2015-113 privilege escalation (aka "rootpipe") and an adapted unofficial fix for OS X 10.9:
https://twitter.com/osxreverser/status/587639173919727616
Apple apparently added a new private entitlement named "com.apple.private.admin.writeconfig" and made it required for calling the XPC service "writeconfig".
Shortly after 10.10.3 was released, it was discovered that the tool "createmobileaccount" (which can be used to pre-create a mobile account and home path prior to a user with network credentials logging into a machine) was no longer functioning properly.
Greg Neagle (@gregneagle on Twitter) put forward that the change to the writeconfig XPC service was the culprit:
https://twitter.com/gregneagle/status/587649138948341760
Additionally, though, it was noticed that various ways of pre-creating the home folder seemed to get around the issue in some fashion.
The root cause is a particular method call of a class from the same framework early identified as a mechanism for CVE-2015-113: the PrivateFramework named SystemAdministration.framework.
In the case of createmobileaccount, it utilizes the class "ADMUser" and calls the method "createHomeDirectoryWithParameters:"
Below you can see a snippet of the code in question:
excellent, thanks for the information!
What tool did you use to disassemble createmobileaccount ?