MS discovers “Shrootless”, a macOS vulnerability that allows malware to be installed.

Apple has patched a vulnerability in macOS Big Sur and Monterey OS that allows users to bypass SIP security features and install a kernel rootkit.

https://www.microsoft.com/security/blog/2021/10/28/microsoft -finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/

Microsoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We also discovered that a similar technique could allow an attacker to elevate privileges and root an affected device.

We shared these findings with Apple via a Coordinated Vulnerability Disclosure (CVD) through Microsoft Security Vulnerability Research (MSVR).

A fix for this vulnerability, currently identified as CVE-2021-30892, was included in a security update released by Apple on October 26, 2021.

This vulnerability was described in a blog post published by Jonathan Bar Or, a security researcher at Microsoft, and tracked as CVE-2021-30892, but also codenamed Shrootless.

According to Bar Or, this vulnerability exists in system_installd, the macOS software installation daemon.

The vulnerability was found to be caused by the way Apple-signed packages, including post-install scripts, are installed

Bar Or discovered that during the application installation process, a post-installation script was running within a child process of the main installation daemon, and that this child process had been running until the installation was complete. We discovered that this child process received special “permissions” to disable System Integrity Protection (SIP) security features until the installation was complete.

If the package contains a post-installation script, system_installd will launch the default shell (zsh on macOS) to execute the script

By default, the macOS installation daemon looks for this shell in /etc/zshenv. So an attacker who can create a malicious /etc/zshenv file and wait for system_installd to start zsh will be able to bypass SIP

SIP is a technology that prevents macOS applications from modifying protected folders and sensitive files, and even if the root user himself modifies them, a Shrootless attack would override this powerful protection and give the attacker root access again.

Microsoft reported the Shrootless attack to Apple’s security team in early 2021, and they also had a demonstration showing how to exploit this bug to install a malicious kernel extension (rootkit).

Apple has fixed this bug and released a fix in macOS Big Sur 11.6.1 and macOS Monterey 12.0.1.