Microsoft Disclose Critical LPE Bug in MacOS

Vulnerability could bypass System Integrity Protection (SIP) of Apple OS and execute arbitrary code.

Microsoft experts have disclosed details about the vulnerability in macOS, which they duly notified Apple about and which the Apple company has already fixed.

Microsoft researchers have named this vulnerability Shrootless. It allows attackers to bypass the Integrity Protection (SIP) feature and execute arbitrary code. In the course of their research, experts also discovered a new attack method that allows for privilege escalation.

The vulnerability, identified as CVE-2021-30892 , was patched by Apple on October 26, 2021 with the release of updates for macOS Monterey, Catalina and Big Sur.

The problem has to do with how the software package is signed by Apple and how the post-installation scripts are installed in it. The researchers found that attackers can use this mechanism for malicious purposes by creating a custom package that can intercept the installation process. After SIP bypass, an attacker can install rootkits and undetectable malware, and even overwrite system files.

The cause of the problem is a design flaw. In some cases, software packages require access to directories protected with SIP (system updates are a prime example). Apple assigns and rights to these packages to bypass SIP checks.

While analyzing macOS processes to bypass SIP, experts came across the system_installd daemon with powerful rights. With these rights, any system_installd child process can bypass all SIP-set file system restrictions.

The researchers decided to examine all the child processes of system_installd and were surprised to find several cases that allow hackers to abuse this functionality to bypass SIP.

For example, when you install an Apple-signed package (.pkg file), the package will initiate the system_installd process, which is responsible for installing it. If the package contains any post-installation scripts, system_installd starts them by initiating the default shell (on macOS, this is zsh). It is noteworthy that after starting zsh looks for the / etc / zshenv file and, if found, automatically runs commands from it, even in non-interactive mode. Therefore, in order to perform arbitrary operations on the device, attackers can create a malicious file / etc / zshenv and then wait for system_installd to invoke zsh.

As mentioned earlier, during this process, Microsoft also discovered that not only Shrootless, but also zshenv can be used as a general attack pattern. Abuse of this shell can lead to privilege escalation.