Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation

Microsoft on Thursday published information on a vulnerability in Apple’s macOS platform that could allow an attacker to bypass System Integrity Protection (SIP) and modify operating system files.

Microsoft on Thursday published information on a vulnerability in Apple’s macOS platform that could allow an attacker to bypass System Integrity Protection (SIP) and modify operating system files.

Tracked as CVE-2021-30892 and named “Shrootless” by Microsoft, the vulnerability exists in the method used to install Apple-signed packages with post-install scripts.

To successfully exploit the vulnerability, an attacker needs to create a specially crafted file that would allow them to hijack the installation process of said packages.

Apple introduced SIP in macOS Yosemite to restrict root users from performing actions leading to system integrity compromise, but the newly addressed security error could allow an attacker to install a malicious kernel driver (rootkit), deploy persistent malware, or overwrite system files.

Also referred to as rootless, SIP locks the system from boot time, to keep the platform protected, and can only be modified when the machine is in recovery mode.

Apple also improved SIP restrictions to harden it, but included several exceptions (entitlements) for specific Apple processes, such as system updates, which have unrestricted access to SIP-protected directories.

What Microsoft discovered was that the entitlement for the daemon system_installd allows for child processes to bypass SIP filesystem restrictions.

Such is the case with Apple-signed packages (.pkg files). Should post-install scripts be included in the package, system_installd executes them by invoking the default shell, zsh.

“When zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh,” Microsoft explains.

The tech giant also explains that zshenv could be abused as a general attack technique, given that there’s an equivalent of /etc/zshenv for each user, “which has the same function and behavior but doesn’t require root permissions to write to.”

Apple addressed the vulnerability with the macOS Big Sur 11.6.1 update, which started rolling out on October 26, containing patches for 23 other vulnerabilities. This week Apple also released iOS 15.1 and iPadOS 15.1, with patches for 22 security flaws.

Related: PoC Exploit Released for macOS Gatekeeper Bypass

Related: Apple Ships iOS 15 with MFA Code Generator

Related: Apple Patches Recent Sudo Vulnerability in macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet