System Integrity Protection (also referred to as rootless) is a macOS security feature introduced in OS X El Capitan (2015) (OS X 10.11). SIP technology restricts a root user from performing operations that may compromise system integrity.
Once an attacker has bypassed SIP root restrictions it can install “undeletable” and persistent malware and access sensitive data on the device.
By design, SIP only allows processes signed by Apple or those with special entitlements (i.e., Apple software updates and Apple installers) to modify these protected parts of macOS.
The researchers reported that a threat actor could create a specially crafted file that would hijack the installation process.
According to Apple’s advisory, the logical issue can be exploited by an app to modify protected parts of the file system. The IT giant credited Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft for reporting the flaw.
The researchers pointed out that it is not possible to turn off SIP on a live system. The only way to disable SIP is to restart the system using the recovery OS, which requires physical access to the device.
Only processes signed by Apple or those possessing a special entitlement (a right or privilege that grants an executable particular capabilities), such as Apple software updates and installers, should alter macOS-protected components.
The researchers from Microsoft abused the macOS Migration Assistant utility to bypass SIP protection.
“During a routine malware hunt, we discovered the execution of a binary called drop_sip” reads the analysis published by Microsoft. “Thinking that we found an exploit in the wild, we found that it’s an Apple-signed binary that resides natively under the /System/Library/PrivateFrameworks/SystemMigrationUtils.framework/Resources/Tools/drop_sip path.”””
“Because of this behavior, we concluded the drop_sip process assumes it can bypass SIP. However, since drop_sip is not entitled with any SIP-bypassing entitlements, we concluded that it must inherit that capability. We discovered its parent process is systemmigrationd, which is a daemon designed to handle migration scenarios, but most importantly, it’s entitled with the com.apple.rootless.install.heritable entitlement that allows its child processes to bypass SIP security checks”
The experts discovered that the macOS Migration Assistant utility uses the systemmigrationd daemon which is able to bypass SIP because it is entitled to the com.apple.rootless.install.heritable entitlement.
The researchers were able to automate the exploit using AppleScript and execute a malicious code that is designed to run without SIP filesystem restrictions without restarting the system and booting from macOS Recovery.
Below is a video PoC that shows the exploitation of the flaw:
The consequences of arbitrary bypasses of System Integrity Protection (SIP) could be very dangerous, malware developers can exploit it to:
This isn’t the first time that Microsoft discovered a vulnerability in macOS that can allow attackers with root privileges to bypass SIP. In October 2021, Microsoft discovered a flaw, dubbed Shrootless (CVE-2021-30892), that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.
(SecurityAffairs – hacking, macOS)