Microsoft experts said that at the beginning of this week, Apple eliminated a dangerous vulnerability in the macOS Big Sur and Monterey operating systems. The bug could have been used to bypass System Integrity Protection (SIP), perform arbitrary operations, escalate privileges to root, and install rootkits.
The Microsoft 365 Defender team identified the issue and named the bug Shrootless (also assigned the issue ID CVE-2021-30892 ).
The SIP defence mechanism is also known as rootless, hence the name of the vulnerability. It is designed to block changes to protected folders and files for potentially malicious programs, as well as restrict the root user and the actions that he can perform in protected parts of the OS. That is, under normal circumstances, SIP only allows processes that are signed by Apple or have special rights (such as software update tools or Apple installers) to modify the protected portions of macOS.
The problem with Shrootless is that the system_installd daemon responsible for installing the software had com.apple.rootless.install.inheritable privileges, which allowed its child process to completely bypass SIP restrictions. That is, post-install scripts are run within the child daemon process and can bypass SIP.
“We discovered a vulnerability in the way Apple signed packages are installed with post-install scripts. An attacker could have created a special file that hijacked the installation process. After bypassing SIP restrictions, it could install a malicious kernel driver (rootkit), overwrite system files, and, among other things, install permanent, undetectable malware, ”Microsoft experts say.
As mentioned above, the vulnerability has now been fixed. Apple said that through CVE-2021-30892, malicious applications could modify protected parts of the file system, and also thanked Microsoft researchers for finding the bug.
Catch up on more stories here
Follow us on Facebook here