Nov 2, 2021
103 Views
0 0

Shrootless: Microsoft finds Apple macOS vulnerability

Written by

We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Cybersecurity Month: Save 25% on EP and EDR for your business – BUY NOW

Exploits and vulnerabilities | Mac
Posted: by
Microsoft researchers have discovered a vulnerability in macOS, dubbed Shrootless, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.
Microsoft reported the Shrootless attack to Apple’s security team earlier this year, together with a proof-of-concept that showed how the bug could be abused to install a malicious kernel extension (rootkit).
SIP which is also known as “rootless” is designed to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. Being able to bypass SIP basically gives the attacker full control of the system, because they can run arbitrary code without the protection kicking in.
Step by step, Apple has hardened SIP over the years against attacks by improving and finetuning the restrictions. One of the most effective SIP restrictions is the filesystem restriction. Without these restrictions, an attacker would be able to access and drop files in an area of the file system that is not intended for application files. The amount of damage an attacker can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.
Since the filesystem restrictions are so powerful, Apple had to implement some exceptions. One of those exceptions is the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
The Shrootless vulnerability could be used by an attacker to modify protected parts of the file system by abusing inherited permissions. Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD). The vulnerability exists in the macOS Big Sur and Monterey operating systems and was patched by Apple on October 25, 2021.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Shrootless is listed under  CVE-2021-30892.
The researchers found that during the installation process of a new application, an attacker could hijack the installation process by creating a specially crafted post-installation script and placing it in the location where the installation process looks for the post-installation script.
The method to use this vulnerability is pretty straightforward.
This way the Shrootless attack bypasses the SIP and effectively gives the attacker root access. As you will understand from this description the attacker will need some access to the system to begin with or they will not be able to plant the necessary /etc/zshenv.
The easiest and best way to avoid falling victim to this vulnerability is to update to macOS Big Sur 11.6.1 or better.
Stay safe, everyone!
SHARE THIS ARTICLE
COMMENTS
RELATED ARTICLES
ABOUT THE AUTHOR

Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Silouette of person
Contributors

Malware
Threat Center

Book with bookmark
Glossary

Suspicious person
Scams

Pencil
Write for Labs

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
FOR PERSONAL
FOR BUSINESS
COMPANY
ABOUT US
CAREERS
NEWS AND PRESS
MY ACCOUNT
SIGN IN
CONTACT US
GET SUPPORT
CONTACT SALES
© All Rights Reserved
Select your language
Cybersecurity basics
Your intro to everything relating to cyberthreats, and how to stop them.

source

Article Categories:
Vulnerabilities

Comments are closed.