Privilege Escalation Flaw in OS X Allows SIP Bypass

SentinelOne lead OS X security expert Pedro Vilaça discovered a serious local privilege escalation vulnerability in OS X that can be leveraged to bypass Apple’s recently introduced System Integrity Protection (SIP) feature.

The flaw was first discovered by Vilaça in early 2015, but it was only reported to Apple in January 2016. According to the researcher, the issue affects all versions of OS X, but it was only patched by the vendor in El Capitan with the release of version 10.11.4 on March 21.

The vulnerability, identified by Apple as CVE-2016-1757, has been described by Vilaça as a non-memory corruption bug that plagues the OS X kernel. The security hole can be exploited to execute arbitrary code on any binary, and it allows hackers to bypass System Integrity Protection (SIP), a technology introduced in El Capitan to help prevent potentially malicious software from modifying protected files and folders on the system.

The researcher said the SIP feature can be bypassed using the vulnerability without compromising the kernel itself, which makes the exploit very reliable and stable (i.e. it does not crash devices or processes). The flaw allows an attacker to leverage any binary for privilege escalation and steal their entitlements. This can be exploited to bypass SIP from userland and, for instance, ensure that a piece of malware is persistent on the system.

In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.

“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça told SecurityWeek.

“Initially, the exploit could be used to achieve code execution and sandbox escapes. Then to escalate privileges to root and/or bypass System Integrity Protection to achieve persistency,” the expert added. “Also, a fake Flash update regularly used to distribute malware could be leveraged to further compromise systems.”

Vilaça said he considers this exploit to be critical, but not “extreme,” as it’s a local exploit. “It really depends on the attack scenario, but its advantage is being extremely reliable,” the expert noted.

According to the researcher, this type of exploit could be used in highly targeted or state-sponsored attacks.

The details of the vulnerability have been disclosed today by Vilaça at the SysCan360 conference in Singapore. It’s worth noting that in addition to Vilaça, Apple credited Ian Beer of Google Project Zero for reporting CVE-2016-1757, which it described as a race condition that exists during the creation of new processes.

Vilaça told SecurityWeek that he has developed a fully-working proof-of-concept (PoC) exploit for the vulnerability, but he’s unsure if it will be made public considering that a patch is only available for OS X El Capitan. However, the researcher believes someone else might release the exploit following his presentation at SysCan360.

The updates released by Apple this week also patch a serious cryptography issue that can be exploited under certain circumstances to decrypt iMessage attachments.

Related Reading: EFI Zero-Day Exposes Macs to Rootkit Attacks

Related Reading: Apple Failed to Properly Fix “Rootpipe” Bug in OS X