Pierluigi Paganini May 31, 2023

Apple fixed a vulnerability discovered by Microsoft researchers that lets attackers with root privileges bypass System Integrity Protection (SIP).

Researchers from Microsoft discovered a vulnerability, tracked as CVE-2023-32369 and dubbed Migraine, that can allow attackers with root privileges to bypass System Integrity Protection (SIP).

System Integrity Protection (also referred to as rootless) is a macOS security feature introduced in OS X El Capitan (2015) (OS X 10.11). SIP technology restricts a root user from performing operations that may compromise system integrity.

Once an attacker has bypassed SIP root restrictions it can install “undeletable” and persistent malware and access sensitive data on the device.

By design, SIP only allows processes signed by Apple or those with special entitlements (i.e., Apple software updates and Apple installers) to modify these protected parts of macOS.

The researchers reported that a threat actor could create a specially crafted file that would hijack the installation process.

According to Apple’s advisory, the logical issue can be exploited by an app to modify protected parts of the file system. The IT giant credited Jonathan Bar Or of Microsoft, Anurag Bohra of Microsoft, and Michael Pearse of Microsoft for reporting the flaw.

Apple has addressed the vulnerability with the release of security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7.

The researchers pointed out that it is not possible to turn off SIP on a live system. The only way to disable SIP is to restart the system using the recovery OS, which requires physical access to the device.

Only processes signed by Apple or those possessing a special entitlement (a right or privilege that grants an executable particular capabilities), such as Apple software updates and installers, should alter macOS-protected components.

The researchers from Microsoft abused the macOS Migration Assistant utility to bypass SIP protection.

“During a routine malware hunt, we discovered the execution of a binary called drop_sip” reads the analysis published by Microsoft. “Thinking that we found an exploit in the wild, we found that it’s an Apple-signed binary that resides natively under the /System/Library/PrivateFrameworks/SystemMigrationUtils.framework/Resources/Tools/drop_sip path.”””

“Because of this behavior, we concluded the drop_sip process assumes it can bypass SIP. However, since drop_sip is not entitled with any SIP-bypassing entitlements, we concluded that it must inherit that capability. We discovered its parent process is systemmigrationd, which is a daemon designed to handle migration scenarios, but most importantly, it’s entitled with the com.apple.rootless.install.heritable entitlement that allows its child processes to bypass SIP security checks”

The experts discovered that the macOS Migration Assistant utility uses the systemmigrationd daemon which is able to bypass SIP because it is entitled to the com.apple.rootless.install.heritable entitlement.

The researchers were able to automate the exploit using AppleScript and execute a malicious code that is designed to run without SIP filesystem restrictions without restarting the system and booting from macOS Recovery.

Below is a video PoC that shows the exploitation of the flaw:

https://www.microsoft.com/en-us/videoplayer/embed/RW14MaR

The consequences of arbitrary bypasses of System Integrity Protection (SIP) could be very dangerous, malware developers can exploit it to:

1. Create undeletable malware: Attackers can create files with the “com.apple.rootless” extended attribute or overwrite existing files with it. These files are then protected by SIP and cannot be deleted by ordinary means. Security solutions like Microsoft Defender for Endpoint, which rely on quarantining malware, are unable to quarantine files protected by SIP. This limitation underscores the importance of addressing SIP bypasses to ensure effective malware containment and security measures.
2. Expand the attack surface for userland and kernel attacker techniques: Attackers can gain arbitrary kernel code execution. As Apple slowly disallows third party kernel extensions and transitions the Mac ecosystem towards their Endpoint Security framework, security solutions will no longer be able to monitor the kernel for malicious activity, including malicious code executions.
3. Tamper with the integrity of the system, effectively enabling rootkits: This is a derivation of arbitrary kernel code execution—once kernel code execution is established by an attacker, certain rootkit techniques are possible, such as hiding processes or files from all monitoring tools. These techniques might also include bypassing tamper protection, which is important for Microsoft Defender for Endpoint to protect against threats.
4. Full TCC bypass: attackers could replace databases that control Transparency, Consent, and Control (TCC) policies (TCC.db), thereby enabling unauthorized applications to gain unrestricted access to sensitive data and connected devices.

This isn’t the first time that Microsoft discovered a vulnerability in macOS that can allow attackers with root privileges to bypass SIP. In October 2021, Microsoft discovered a flaw, dubbed Shrootless (CVE-2021-30892), that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, macOS)