Shrootless lets hackers install macOS rootkits

LASER_oneXM · Oct 28, 2021

Attackers could use a new macOS vulnerability discovered by Microsoft to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate privileges to root, and install rootkits on vulnerable devices.

The Microsoft 365 Defender Research Team reported the vulnerability dubbed Shrootless (now tracked as CVE-2021-30892) to Apple by via the Microsoft Security Vulnerability Research (MSVR).

SIP (also known as rootless) is a macOS security technology that blocks potentially malicious software from modifying protected folders and files by restricting the root user account and limiting the actions it can perform on protected parts of the OS.

By design, SIP only allows processes signed by Apple or those with special entitlements (i.e., Apple software updates and Apple installers) to modify these protected parts of macOS.

enaph · Oct 28, 2021

It has already been patched with latest macOS 12.0.1 update:

Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)

Impact: A malicious application may be able to modify protected parts of the file system

Description: An inherited permissions issue was addressed with additional restrictions.

CVE-2021-30892: Jonathan Bar Or of Microsoft

About the security content of macOS Monterey 12.0.1

The_King · Oct 29, 2021

Microsoft on Thursday disclosed details of a new vulnerability that could allow an attacker to bypass security restrictions in macOS and take complete control of the device to perform arbitrary operations on the device without getting flagged by traditional security solutions.

Dubbed "Shrootless" and tracked as CVE-2021-30892, the "vulnerability lies in how Apple-signed packages with post-install scripts are installed," Microsoft 365 Defender Research Team's Jonathan Bar Or said in a technical write-up. "A malicious actor could create a specially crafted file that would hijack the installation process."

System Integrity Protection (SIP) aka "rootless" is a security feature introduced in OS X El Capitan that's designed to protect the macOS operating system by restricting a root user from executing unauthorized code or performing operations that may compromise system integrity.

Specifically, SIP allows modification of protected parts of the system — such as /System, /usr, /bin, /sbin, and /var — only by processes that are signed by Apple or those that have special entitlements to write to system files, like Apple software updates and Apple installers, while also automatically authorizing apps that are downloaded from the Mac App Store.

Microsoft's investigation into the security technology looked at macOS processes entitled to bypass SIP protections, leading to the discovery of a software installation daemon called "system_installd" that enables any of its child processes to completely circumvent SIP filesystem restrictions.

Thus when an Apple-signed package is being installed, it invokes the system_installd daemon, and any post-install scripts contained in the package is executed by invoking a default shell, which is Z shell (zsh) on macOS.

"Interestingly, when zsh starts, it looks for the file /etc/zshenv, and — if found — runs commands from that file automatically, even in non-interactive mode," Bar Or said. "Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh."

Successful exploitation of CVE-2021-30892 could enable a malicious application to modify protected parts of the file system, including the capability to install malicious kernel drivers (aka rootkits), overwrite system files, or install persistent, undetectable malware. Apple said it remediated the problem with additional restrictions as part of security updates pushed on October 26, 2021.

"Security technology like SIP in macOS devices serves both as the device's built-in baseline protection and the last line of defense against malware and other cybersecurity threats," Bar Or said. "Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons."