The Apple macOS flaw dubbed “Shrootless” allows attackers to circumvent System Integrity Protection security controls and install an undetectable malicious rootkit that performs arbitrary device operations.
Apple macOS Critical Flaw, Now Patched
Apple patched a macOS vulnerability that can allow threat actors to sneak past a critical OS defense and install a malicious rootkit, Microsoft researchers discovered.
The “Shrootless” issue is linked to a defense called SIP (System Integrity Protection) found in macOS. In a recent blog post, Jonathan Bar Or from the Microsoft 365 Defender Research Team wrote that SIP restricts a user at the root level of the OS from performing operations that could compromise system integrity.
The vulnerability is tracked as CVE-2021-30892 and was discovered during the assessment of processes entitled to bypass SIP protections.
“We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed,” he explained in the post. “A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.”
Microsoft shared the researchers’ discoveries to Apple through its CVD (Coordinated Vulnerability Disclosure), and the company addressed the issue by releasing security updates on October 26 that would patch the flaw.
“This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit,” Or wrote. “As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases.”
The Mechanisms of SIP
Or went on to explain how System Integrity Protection works to give a better context for understanding the vulnerability. The process, initially called “rootless,” “essentially locks down the system from root by leveraging the Apple sandbox to protect the entire platform,” he noted.
The system is controlled by two NVRAM variables: csr-active-config, a bitmask of enabled protections; and csr-data, which stores netboot configuration.
“These variables cannot be legitimately modified in non-recovery mode,” Or wrote. “Therefore, the only legitimate way to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in csrutil tool, which can also display the SIP status.”
Hackers can circumvent SIP controls by loading untrusted kernel extensions and allowing them to perform operations without any check. The research team said that they could also bypass filesystem checks by freely tweaking the NVRAM to control SIP itself.
Upon discovering the flaw and examining all its child processes, researchers found several scenarios that could allow hackers to abuse its functionality and circumvent SIP.
“For instance, when installing an Apple-signed package (.PKG file), the said package invokes system_installd, which then takes charge of installing the former,” Or wrote. “If the package contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and — if found — runs commands from that file automatically, even in non-interactive mode.”
As a result, cybercriminals can perform arbitrary operations on the infected device by creating a malicious /etc/zshenv file and then waiting for system_installd to invoke zsh, he explained.
Microsoft’s research team created a fully functional proof-of-concept (PoC) Shrootless exploit that was able to override the kernel extension exclusion list in three stages. The PoC downloads an Apple-signed package (using wget) that is known to have a post-install script; then plants a malicious /etc/zshenv that checks for its parent process; and lastly, if it’s system_installd, writes to restricted locations; and invokes the installer utility to install the package.
The researchers also discovered that zshenv may be used as a general attack method as a persistence mechanism or to elevate privileges besides being used for a SIP bypass, Or said.