The Apple System Integrity Protection feature bypassed

Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP).

Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP).

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

“System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.” states a blog post published by Apple.

“System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.”

According to the experts at SentinelOne the flaw allows circumventing the SIP technology. This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.

The exploit is very stable because the SIP feature can be bypassed triggering the flaw without compromising the kernel.

“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.”

The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.

“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça explained to SecurityWeek.

SentinelOne confirmed that it isn’t aware of any attack in the wild that exploited the flaw to date.

Such kind of attacks are very insidious and difficult to detect, there is the concrete risk that nation-state hackers can leverage on this exploit in their attacks. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.

The flaw affects every version of Apple’s OS X desktop operating system, Apple has begun to issue security patches.

“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple’s Security Bulletin, meaning they are left vulnerable to this specific bug.”

Vilaça will provide details about the SIP bypass technique today at the SysCan360 2016 security conference.

Pierluigi Paganini

Security Affairs –  (System Integrity Protection, SIP, hacking)