In a security report, Microsoft detailed the finding of a critical vulnerability in macOS whose successful exploitation would allow threat actors to evade the System Integrity Protection (SIP) mechanism and deploy all kinds of attacks, such as performing privilege escalations and installing rootkits. SIP, also known as Rootless, is a security feature in macOS that prevents root users from performing operations that could compromise security on the system.
This mechanism allows only Apple-signed processes to modify these restricted sections of the system. According to the report, threat actors could create a specially crafted file in order to hijack the legitimate installation process.
Microsoft mentions that when evaluating macOS processes, the daemon system_installd was detected, which has rights com.apple.rootless.install.inheritable. Access to this level of rights, any process derived from system_installd could evade the restrictions of the SIP file system.
The vulnerability, dubbed Shrootless, was exploited in a secure environment by Microsoft researchers, who managed to override the exclusion list of kernel extensions. Below are the steps that make up the proof of concept (PoC):
- Download an Apple-signed package (using wget) that is known to have a post exploit script
- Plant a malicious /etc/zshenv that verifies its parent process; if it is system_installd then it would write to restricted locations
- Invoke the installation utility to install the package
Apple announced the fix of the flaw in its latest security update for macOS, crediting Microsoft with the bug report: “A malicious application can modify protected parts of the file system,” the company acknowledges.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.