Security Experts:

Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation

Microsoft on Thursday published information on a vulnerability in Apple’s macOS platform that could allow an attacker to bypass System Integrity Protection (SIP) and modify operating system files.

Tracked as CVE-2021-30892 and named “Shrootless” by Microsoft, the vulnerability exists in the method used to install Apple-signed packages with post-install scripts.

To successfully exploit the vulnerability, an attacker needs to create a specially crafted file that would allow them to hijack the installation process of said packages.

Apple introduced SIP in macOS Yosemite to restrict root users from performing actions leading to system integrity compromise, but the newly addressed security error could allow an attacker to install a malicious kernel driver (rootkit), deploy persistent malware, or overwrite system files.

Also referred to as rootless, SIP locks the system from boot time, to keep the platform protected, and can only be modified when the machine is in recovery mode.

Apple also improved SIP restrictions to harden it, but included several exceptions (entitlements) for specific Apple processes, such as system updates, which have unrestricted access to SIP-protected directories.

What Microsoft discovered was that the entitlement for the daemon system_installd allows for child processes to bypass SIP filesystem restrictions.

Such is the case with Apple-signed packages (.pkg files). Should post-install scripts be included in the package, system_installd executes them by invoking the default shell, zsh.

“When zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh,” Microsoft explains.

The tech giant also explains that zshenv could be abused as a general attack technique, given that there’s an equivalent of /etc/zshenv for each user, “which has the same function and behavior but doesn’t require root permissions to write to.”

Apple addressed the vulnerability with the macOS Big Sur 11.6.1 update, which started rolling out on October 26, containing patches for 23 other vulnerabilities. This week Apple also released iOS 15.1 and iPadOS 15.1, with patches for 22 security flaws.

Related: PoC Exploit Released for macOS Gatekeeper Bypass

Related: Apple Ships iOS 15 with MFA Code Generator

Related: Apple Patches Recent Sudo Vulnerability in macOS

view counter