Microsoft discovered a vulnerability in macOS, dubbed Shrootless CVE-2021-30892, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.
System Integrity Protection is a macOS security feature introduced in OS X El Capitan (2015) (OS X 10.11). SIP technology restricts a root user from performing operations that may compromise system integrity.
The flaw was reported to Apple through the Microsoft Security Vulnerability Research.SIP only allows processes signed by Apple or those with special entitlements to modify these protected parts of macOS.
While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
Microsoft experts discovered the Shrootless flaw after noticing system_installd daemon had com.apple.rootless.install.inheritable entitlement that allowed any child process to fully bypass SIP filesystem restrictions. Apple addressed the flaw with the release of security updates on October 26
Microsoft implemented the following algorithm to create a proof-of-concept (POC) exploit to override the kernel extension exclusion list:
- Download an Apple-signed package (using wget) that is known to have a post-install script
- Plant a malicious /etc/zshenv that would check for its parent process; if it’s system_installd, then it would write to restricted locations
- Invoke the installer utility to install the package