Talos Vulnerability Report


Pixar Renderman Install Helper Privilege Escalation Vulnerability

March 7, 2019
CVE Number



A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0’s Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Renderman 22.3.0 for Mac OS X

Product URLs


CVSSv3 Score

9.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N


CWE-749: Exposed Dangerous Method or Function


Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. When installing the Mac OS X version of the application, a helper tool is installed and launched as root. This service continues to listen even after completing installation. The vulnerability comes in with a lack of verification in the Dispatch function. The caller of this function is not checked and the functionality is exposed to any user.

The vulnerability exists because of an incorrectly applied patch. The patch restricts the program to be executed to the system installer and allows any installation package to be chosen. An attacker can use this to install an arbitrary program onto the computer as root. This creates a privilege escalation situation.

Exploit Proof of Concept

Included with this advisory is a C source file, as well as a OSX package. The package needs to be put into /tmp/root.pkg. The command nc -l 1337 needs to be executed in a separate terminal window to accept the root shell.


2019-02-01 - Vendor Disclosure
2019-03-06 - Public Release


Discovered by Tyler Bohan of Cisco Talos.