Microsoft reviews SIP-bypassing “Shrootless” vulnerability in macOS



Enlarge / The worm says, “I’ve acquired root!”Andreus / Getty Pictures

The Microsoft 365 Defender Analysis Crew launched a weblog submit yesterday describing a newly discovered macOS vulnerability that may abuse entitlement inheritance in macOS’s System Integrity Safety (SIP) to permit execution of arbitrary code with root-level privilege. The vulnerability is listed as CVE-2021-30892 and has been given the nickname “Shrootless.”
To elucidate how Shrootless works, we have to evaluation how SIP capabilities. Launched again in 2015 with OS X 10.11 El Capitan (and defined intimately on pages eight and 9 of our evaluation), SIP makes an attempt to cast off a whole class of vulnerabilities (or no less than neuter their effectiveness) by including kernel-level protections towards altering sure recordsdata on disk and sure processes in reminiscence, even with root privilege. These protections are (roughly) inviolable until one disables SIP, which can’t be carried out with out rebooting into restoration mode and executing a terminal command.
The Shrootless exploit takes benefit of the truth that, whereas root privilege is now not ample to vary necessary system recordsdata, the kernel itself nonetheless can—and does—alter protected places as wanted. The obvious instance is when putting in an utility. Apple-signed utility set up packages have the flexibility to do issues usually prohibited by SIP, and that is the place Shrootless slides in.
Unintended penalties
As defined by Microsoft Senior Safety Researcher Jonathan Bar Or in a weblog submit, SIP should have the ability to quickly grant installer packages immunity from SIP so as to set up stuff, and it does this by handing down that non permanent immunity by way of a built-in inheritance system:

Whereas assessing macOS processes entitled to bypass SIP protections, we got here throughout the daemon system_installd, which has the highly effective up.inheritable entitlement. With this entitlement, any little one strategy of system_installd would have the ability to bypass SIP filesystem restrictions altogether.
That by itself is not too terrifying, since on a standard day, there should not be something scary forked off of the system_installd daemon. Nevertheless, as Bar Or’s submit notes, some set up packages comprise post-install scripts, and macOS runs these post-install scripts by spawning an occasion of the default system shell, which, as of Catalina, is zsh. When a zsh occasion is spawned by the installer, it mechanically runs its startup file at /and so on/zshenv—and that is the issue, as a result of if an attacker has beforehand modified that file, no matter modifications the attacker made are executed by zsh with the up.inheritable entitlement.
Bar Or sums issues up thusly:
Usually, zshenv could possibly be used as the next:

A persistence mechanism. It may merely await zsh to start out (both globally beneath /and so on or per consumer).
An elevation of privilege mechanism. The house listing doesn’t change when an admin consumer elevates to root utilizing sudo -s or sudo . Thus, inserting a ~/.zshenv file because the admin and ready for the admin to make use of sudo later would set off the ~/.zshenv file, therefore elevating to root.

Per the CVE, the vulnerability has already been patched in all three at present supported variations of macOS (Monterey 12.0.1, Catalina with Safety Replace 2021-007, and Massive Sur 11.6.1). Older unsupported variations of OS X with SIP—which implies OS X 10.11 and later—would possibly nonetheless be weak, although that probably hinges on whether or not post-install scripts executed with bash behave the identical means they do with zsh.
Bar Or’s weblog submit doesn’t point out whether or not Apple paid Microsoft a bug bounty.