Many security companies and large technology companies have self-built teams that aim to discover defects and vulnerabilities in software, communicate privately with software vendors, and then release fixes in accordance with industry standard procedures.At the same time, the team represented by Google Project Zero is also committed to helping discover and repair third-party security issues. What this article will introduce to you is the “Shrootless” vulnerability discovered by Microsoft on Apple macOS.
(From: Microsoft 365Defender Research Team)
Microsoft pointed out that the Shrootless vulnerability can be exploited by malicious actors to bypass the system integrity protection (SIP) of the operating system and execute arbitrary code.
At the same time, the Microsoft security team discovered a new type of attack technique used to escalate privileges. After simply reading the company’s blog post, it turns out that the problem is mainly attributed toAppleSigned, and has a post-installation script package” installation method.
By creating custom software packages that can hijack the installation process, attackers can use this mechanism to achieve malicious purposes.
For example, after bypassing SIP protection measures, attackers can install rootkits and undetectable malware, and even overwrite system files without being blocked by SIP.
In some cases, software packages require access to SIP-protected directories, such as system updates.
It is known that Apple has assigned some privileges (com.apple.rootless.install and com.apple.rootless.install.inheritable) to such packages, but they can also be used to bypass SIP.
When evaluating macOS processes that have the right to bypass SIP protection, the Microsoft security team discovered that the daemon system_installd has powerful com.apple.rootless.install.inheritable permissions.
On this basis, an attacker can use any child process of system_installd to completely bypass the SIP file system restrictions.
With the help of the post-breach component of Microsoft Defender for Endpoint, the security team decided to check all child processes of system_installd.
The results shocked them, because some of them could allow attackers to abuse and bypass SIP. For example, when installing a .pkg package signed by Apple, it will call system_installed and be responsible for installing the former.
But if the package contains any post-install scripts, system_installd will run them by invoking the default shell (zsh on macOS).
The interesting thing is that when zsh starts, it looks for the file /etc/zshenv. If found, Harvard automatically runs commands from that file – even in non-interactive mode.
So for potential attackers, the most reliable path for them to perform arbitrary operations on the device is to create a malicious /etc/zshenv file, and then wait for system_installd to call zsh.
To make matters worse, Microsoft also found that zshenv can be used as a general attack mode, not just Shrootless-abuse of this shell or lead to elevated privileges.
Fortunately, as part of the coordinated vulnerability disclosure (CVD) process, Microsoft privately shared its findings with Apple. The latter acknowledged the problem and released a patch for the vulnerability to the public on October 26, 2021.
In the security patch notes for macOS Monterey, Catalina and Big Sur, Apple also emphasized Microsoft’s contribution to this. For details, please also checkCVE-2021-30892Security bulletin.