Security Experts:

Connect with us

Hi, what are you looking for?



Privilege Escalation Flaw in OS X Allows SIP Bypass

SentinelOne lead OS X security expert Pedro Vilaça discovered a serious local privilege escalation vulnerability in OS X that can be leveraged to bypass Apple’s recently introduced System Integrity Protection (SIP) feature.

SentinelOne lead OS X security expert Pedro Vilaça discovered a serious local privilege escalation vulnerability in OS X that can be leveraged to bypass Apple’s recently introduced System Integrity Protection (SIP) feature.

The flaw was first discovered by Vilaça in early 2015, but it was only reported to Apple in January 2016. According to the researcher, the issue affects all versions of OS X, but it was only patched by the vendor in El Capitan with the release of version 10.11.4 on March 21.

The vulnerability, identified by Apple as CVE-2016-1757, has been described by Vilaça as a non-memory corruption bug that plagues the OS X kernel. The security hole can be exploited to execute arbitrary code on any binary, and it allows hackers to bypass System Integrity Protection (SIP), a technology introduced in El Capitan to help prevent potentially malicious software from modifying protected files and folders on the system.

The researcher said the SIP feature can be bypassed using the vulnerability without compromising the kernel itself, which makes the exploit very reliable and stable (i.e. it does not crash devices or processes). The flaw allows an attacker to leverage any binary for privilege escalation and steal their entitlements. This can be exploited to bypass SIP from userland and, for instance, ensure that a piece of malware is persistent on the system.

In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.

“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça told SecurityWeek.

“Initially, the exploit could be used to achieve code execution and sandbox escapes. Then to escalate privileges to root and/or bypass System Integrity Protection to achieve persistency,” the expert added. “Also, a fake Flash update regularly used to distribute malware could be leveraged to further compromise systems.”

Vilaça said he considers this exploit to be critical, but not “extreme,” as it’s a local exploit. “It really depends on the attack scenario, but its advantage is being extremely reliable,” the expert noted.

According to the researcher, this type of exploit could be used in highly targeted or state-sponsored attacks.

The details of the vulnerability have been disclosed today by Vilaça at the SysCan360 conference in Singapore. It’s worth noting that in addition to Vilaça, Apple credited Ian Beer of Google Project Zero for reporting CVE-2016-1757, which it described as a race condition that exists during the creation of new processes.

Vilaça told SecurityWeek that he has developed a fully-working proof-of-concept (PoC) exploit for the vulnerability, but he’s unsure if it will be made public considering that a patch is only available for OS X El Capitan. However, the researcher believes someone else might release the exploit following his presentation at SysCan360.

The updates released by Apple this week also patch a serious cryptography issue that can be exploited under certain circumstances to decrypt iMessage attachments.

Related Reading: EFI Zero-Day Exposes Macs to Rootkit Attacks

Related Reading: Apple Failed to Properly Fix “Rootpipe” Bug in OS X

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet