The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet

Pierluigi Paganini March 31, 2016

Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet .

Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version of the OS X operating system.

This week, Apple issued a security update of OS X El Capitan 10.11.4 and iOS 9.3 to solve the problem, but according to the experts is was ineffective in fixing the privilege escalation vulnerability.

The flaw was discovered by the security researcher Pedro Vilaça from SentinelOne and exposes more than 130 Million Apple customers at risk of hack. The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

System Integrity Protection SIP bypass OS X El Capitan

According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.

The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.

The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.

You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.

Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.

“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “

ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot

The above code expands to:

ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/

Let’s hope Apple would fix all the open SIP issues as soon as possible.

Pierluigi Paganini

Security Affairs –  (System Integrity Protection, SIP, hacking)

you might also like

leave a comment