Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation

Microsoft on Thursday published information on a vulnerability in Apple’s macOS platform that could allow an attacker to bypass System Integrity Protection (SIP) and modify operating system files.

Microsoft on Thursday published information on a vulnerability in Apple’s macOS platform that could allow an attacker to bypass System Integrity Protection (SIP) and modify operating system files.

Tracked as CVE-2021-30892 and named “Shrootless” by Microsoft, the vulnerability exists in the method used to install Apple-signed packages with post-install scripts.

To successfully exploit the vulnerability, an attacker needs to create a specially crafted file that would allow them to hijack the installation process of said packages.

Apple introduced SIP in macOS Yosemite to restrict root users from performing actions leading to system integrity compromise, but the newly addressed security error could allow an attacker to install a malicious kernel driver (rootkit), deploy persistent malware, or overwrite system files.

Also referred to as rootless, SIP locks the system from boot time, to keep the platform protected, and can only be modified when the machine is in recovery mode.

Apple also improved SIP restrictions to harden it, but included several exceptions (entitlements) for specific Apple processes, such as system updates, which have unrestricted access to SIP-protected directories.

What Microsoft discovered was that the entitlement for the daemon system_installd allows for child processes to bypass SIP filesystem restrictions.

Such is the case with Apple-signed packages (.pkg files). Should post-install scripts be included in the package, system_installd executes them by invoking the default shell, zsh.

Advertisement. Scroll to continue reading.

“When zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh,” Microsoft explains.

The tech giant also explains that zshenv could be abused as a general attack technique, given that there’s an equivalent of /etc/zshenv for each user, “which has the same function and behavior but doesn’t require root permissions to write to.”

Apple addressed the vulnerability with the macOS Big Sur 11.6.1 update, which started rolling out on October 26, containing patches for 23 other vulnerabilities. This week Apple also released iOS 15.1 and iPadOS 15.1, with patches for 22 security flaws.

Related: PoC Exploit Released for macOS Gatekeeper Bypass

Related: Apple Ships iOS 15 with MFA Code Generator

Related: Apple Patches Recent Sudo Vulnerability in macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.