Microsoft found Shrootless bug in macOS that could bypass System Integrity Protection

Microsoft finds a flaw in macOS, dubbed Shrootless (CVE-2021-30892), that can allow attackers to bypass System Integrity Protection (SIP).

Microsoft discovered a vulnerability in macOS, dubbed Shrootless (CVE-2021-30892), that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.

System Integrity Protection (also referred to as rootless) is a macOS security feature introduced in OS X El Capitan (2015) (OS X 10.11). SIP technology restricts a root user from performing operations that may compromise system integrity.

The flaw was reported to Apple through the Microsoft Security Vulnerability Research (MSVR).

By design, SIP only allows processes signed by Apple or those with special entitlements (i.e., Apple software updates and Apple installers) to modify these protected parts of macOS.

The researchers reported that a threat actor could create a specially crafted file that would hijack the installation process. 

“While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.” reads the post published by Microsoft.

Microsoft experts discovered the Shrootless security flaw after noticing that the system_installd daemon had the com.apple.rootless.install.inheritable entitlement that allowed any child process to fully bypass SIP filesystem restrictions.

Microsoft implemented the following algorithm to create a proof-of-concept (POC) exploit to override the kernel extension exclusion list:

1. Download an Apple-signed package (using wget) that is known to have a post-install script
2. Plant a malicious /etc/zshenv that would check for its parent process; if it’s system_installd, then it would write to restricted locations
3. Invoke the installer utility to install the package

Apple addressed the flaw with the release of security updates on October 26, the company credited Jonathan Bar Or of Microsoft for this issue.

“A malicious application may be able to modify protected parts of the file system.” states the security advisory published by Apple. “Description: An inherited permissions issue was addressed with additional restrictions.“

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Apple)

[adrotate banner=”5″]

[adrotate banner=”13″]