Shrootless bug allows hackers to install macOS rootkits
Attackers could use a new macOS vulnerability discovered by Microsoft to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate root privileges, and install rootkits on vulnerable devices.
Microsoft 365 Defender research team reported the so-called vulnerability Shrootless (now followed as CVE-2021-30892) to Apple through Microsoft Security Vulnerability Research (MSVR).
sip (also known as rootless) is macOS security technology that prevents potentially malicious software from modifying protected folders and files by restricting the root user account and limiting the actions it can perform on protected parts. of the operating system.
By design, SIP only allows processes signed by Apple or those with special rights (that is, Apple software updates and Apple installers) to modify these protected parts of macOS.
The Shrootless security issue was discovered by researchers at Microsoft after noticing that the system_installd daemon had the com.apple.rootless.install.inheritable right which allowed any child process to bypass SIP file system restrictions completely.
“We have discovered that the vulnerability lies in the way packages signed by Apple with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process,” Explain Jonathan Bar Or, Senior Security Researcher at Microsoft.
“After circumventing SIP restrictions, an attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent and undetectable malware, among others.”
Apple has released a patch to fix the security vulnerability with the security updates released two days ago, October 26.
“A malicious application may be able to modify protected parts of the file system,” Apple said in the safety notice.
Apple addressed the issue of inherited permissions behind the Shrootless bug with additional restrictions.
“We would like to thank the Apple Product Security team for their professionalism and responsiveness in resolving the issue,” added Jonathan Bar Or.
Last week, Microsoft also reported the discovery of new variants of the macOS WizardUpdate malware (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.
This Trojan deploys second-stage malware payloads, including Adload, an active malware strain since the end of 2017 and known to be able to pass through Apple’s YARA signature-based XProtect built-in antivirus to infect Macs.
In June, Redmond security researchers also discovered critical firmware vulnerabilities in certain models of NETGEAR routers that attackers could use to penetrate and roam sideways within corporate networks.