

Microsoft reports SIP-bypassing “Shrootless” vulnerability in macOS
source link: https://arstechnica.com/gadgets/2021/10/microsoft-reports-sip-bypassing-shrootless-vulnerability-in-macos/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Shroot farms —
Microsoft reports SIP-bypassing “Shrootless” vulnerability in macOS
Exploit based on SIP entitlement inheritance was patched by Apple on October 26.
Lee Hutchinson - 10/29/2021, 4:57 PM

The Microsoft 365 Defender Research Team released a blog post yesterday describing a newly found macOS vulnerability that can abuse entitlement inheritance in macOS's System Integrity Protection (SIP) to allow execution of arbitrary code with root-level privilege. The vulnerability is listed as CVE-2021-30892 and has been given the nickname "Shrootless."
To explain how Shrootless works, we need to review how SIP functions. Introduced back in 2015 with OS X 10.11 El Capitan (and explained in detail on pages eight and nine of our review), SIP attempts to do away with an entire class of vulnerabilities (or at least neuter their effectiveness) by adding kernel-level protections against changing certain files on disk and certain processes in memory, even with root privilege. These protections are (more or less) inviolable unless one disables SIP, which cannot be done without rebooting into recovery mode and executing a terminal command.
The Shrootless exploit takes advantage of the fact that, while root privilege is no longer sufficient to change important system files, the kernel itself still can—and does—alter protected locations as needed. The most obvious example is when installing an application. Apple-signed application install packages have the ability to do things normally prohibited by SIP, and that's where Shrootless slides in.
Unintended consequences
As explained by Microsoft Senior Security Researcher Jonathan Bar Or in a blog post, SIP must be able to temporarily grant installer packages immunity from SIP in order to install stuff, and it does this by handing down that temporary immunity through a built-in inheritance system:
AdvertisementWhile assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
That on its own isn't too terrifying, since on a normal day, there shouldn't be anything scary forked off of the system_installd daemon. However, as Bar Or's post notes, some install packages contain post-install scripts, and macOS runs those post-install scripts by spawning an instance of the default system shell, which, as of Catalina, is zsh. When a zsh instance is spawned by the installer, it automatically runs its startup file at /etc/zshenv
—and that's the problem, because if an attacker has previously modified that file, whatever modifications the attacker made are executed by zsh with the com.apple.rootless.install.inheritable entitlement.
Bar Or sums things up thusly:
Generally, zshenv could be used as the following:
- A persistence mechanism. It could simply wait for zsh to start (either globally under /etc or per user).
- An elevation of privilege mechanism. The home directory doesn’t change when an admin user elevates to root using sudo -s or sudo . Thus, placing a ~/.zshenv file as the admin and waiting for the admin to use sudo later would trigger the ~/.zshenv file, hence elevating to root.
Per the CVE, the vulnerability has already been patched in all three currently supported versions of macOS (Monterey 12.0.1, Catalina with Security Update 2021-007, and Big Sur 11.6.1). Older unsupported versions of OS X with SIP—which means OS X 10.11 and later—might still be vulnerable, though that likely hinges on whether post-install scripts executed with bash behave the same way they do with zsh.
Bar Or's blog post does not mention whether Apple paid Microsoft a bug bounty.
Recommend
-
14
MacOS 10.12.5关闭SIP,升级自带的openssl由于Mac自带的 openssl 太老了,安装python扩展包报错,需要升级到高版本。一、安装openssl查看当前的openssl 的版本和目录:
-
5
SIP Trunking Proves Critical Link For Business Telecom ...
-
8
保护SIP连接的有效方法 责任编辑:cres 作者:Kevin Tolly | 2021-08-06 10:48:53 原创文章 企业网D1Net 会话发起协议(SIP)是管理设备如何通过互联网进行通信的基础标准。像大多数安全问题一...
-
13
This guide will help you to install Latest Kamailio SIP Server on CentOS 7 / CentOS 8 Linux server. This is part of Series tutorials on Building an Enterprise VOIP System. Kamailio is...
-
7
October 28, 2021 Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection Microsoft has discovered a vulnerability that could allow an attacker to bypass...
-
7
Raspberry Pi Zero W takes a SiP of Cortex-A53 Oct 28, 2021 — by Eric Brown 134 views
-
16
如何在 MacOS 关闭 SIP – Becomin' Charles 跳至内容 Becomin' Charles Mac |...
-
4
OPPO实时音视频(OPPO Real-Time Communication ORTC),是我们推出一套低延时、高品质、跨平台的音视频互通解决方案,通过OPPO云服务器向开发者开放,提供多人音视频通话、实时监控、应急指挥调度、互通直播、IOT万物互融、云游戏等能力输出。以往的音视频通信技...
-
13
Install Kamailio SIP Server on CentOS 8Search ComputingForGeeksThis guide will help you to install Latest Ka...
-
3
Fun with macOS's SIPPosted January 24, 2023 by Aviram Hassan and Tal Zwick
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK