Microsoft on Thursday disclosed particulars of a new vulnerability that could enable an attacker to bypass protection restrictions in macOS and just take complete command of the device to carry out arbitrary functions on the product with no receiving flagged by regular stability answers.
Dubbed “Shrootless” and tracked as CVE-2021-30892, the “vulnerability lies in how Apple-signed packages with write-up-put in scripts are put in,” Microsoft 365 Defender Investigate Team’s Jonathan Bar Or claimed in a technological publish-up. “A malicious actor could make a specifically crafted file that would hijack the installation method.”
Process Integrity Safety (SIP) aka “rootless” is a protection function introduced in OS X El Capitan which is intended to shield the macOS running process by limiting a root consumer from executing unauthorized code or doing operations that might compromise program integrity.
Specifically, SIP lets modification of safeguarded parts of the technique — this kind of as /Procedure, /usr, /bin, /sbin, and /var — only by processes that are signed by Apple or those that have specific entitlements to compose to procedure information, like Apple software package updates and Apple installers, whilst also immediately authorizing apps that are downloaded from the Mac Application Retailer.
Microsoft’s investigation into the safety know-how looked at macOS procedures entitled to bypass SIP protections, major to the discovery of a program installation daemon called “technique_installd” that allows any of its kid procedures to fully circumvent SIP filesystem restrictions.
Hence when an Apple-signed deal is currently being put in, it invokes the technique_installd daemon, and any write-up-set up scripts contained in the package is executed by invoking a default shell, which is Z shell (zsh) on macOS.
“Curiously, when zsh commences, it seems to be for the file /etc/zshenv, and — if observed — operates commands from that file mechanically, even in non-interactive mode,” Bar Or explained. “As a result, for attackers to carry out arbitrary operations on the product, a totally trustworthy route they could acquire would be to build a malicious /and many others/zshenv file and then wait around for method_installd to invoke zsh.”
Successful exploitation of CVE-2021-30892 could enable a destructive software to modify secured sections of the file program, which include the capability to put in malicious kernel drivers (aka rootkits), overwrite process data files, or set up persistent, undetectable malware. Apple mentioned it remediated the problem with supplemental limits as component of security updates pushed on Oct 26, 2021.
“Protection know-how like SIP in macOS units serves each as the device’s created-in baseline defense and the past line of defense versus malware and other cybersecurity threats,” Bar Or said. “Sadly, destructive actors go on to obtain modern methods of breaching these limitations for these incredibly same explanations.”