Microsoft researchers have discovered a vulnerability in macOS, dubbed Shrootless, that can allow attackers to bypass System Integrity Protection (SIP) and perform malicious activities, such as gaining root privileges and installing rootkits on vulnerable devices.
Microsoft reported the Shrootless attack to Apple’s security team earlier this year, together with a proof-of-concept that showed how the bug could be abused to install a malicious kernel extension (rootkit).
What is SIP?
SIP which is also known as “rootless” is designed to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. Being able to bypass SIP basically gives the attacker full control of the system, because they can run arbitrary code without the protection kicking in.
Step by step, Apple has hardened SIP over the years against attacks by improving and finetuning the restrictions. One of the most effective SIP restrictions is the filesystem restriction. Without these restrictions, an attacker would be able to access and drop files in an area of the file system that is not intended for application files. The amount of damage an attacker can do to a device’s critical components is directly based on their ability to write unrestricted data to disk.
Since the filesystem restrictions are so powerful, Apple had to implement some exceptions. One of those exceptions is the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
The Shrootless vulnerability could be used by an attacker to modify protected parts of the file system by abusing inherited permissions. Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD). The vulnerability exists in the macOS Big Sur and Monterey operating systems and was patched by Apple on October 25, 2021.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Shrootless is listed under CVE-2021-30892.
The researchers found that during the installation process of a new application, an attacker could hijack the installation process by creating a specially crafted post-installation script and placing it in the location where the installation process looks for the post-installation script.
The gritty details
The method to use this vulnerability is pretty straightforward.
- Download an Apple-signed package (using wget) that is known to have a post-install script. When installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former.
- Plant a malicious /etc/zshenv that would check for its parent process. If it’s system_installd, then it would be able to write to restricted locations. If the package that is being installed contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and runs commands from that file automatically, if it exists.
- Invoke the installer utility to install the package. This will invoke system_installd and because we used a package with a post-install script, zsh is invoked and executes the commands in the file we planted.
This way the Shrootless attack bypasses the SIP and effectively gives the attacker root access. As you will understand from this description the attacker will need some access to the system to begin with or they will not be able to plant the necessary /etc/zshenv.
The easiest and best way to avoid falling victim to this vulnerability is to update to macOS Big Sur 11.6.1 or better.
Stay safe, everyone!