New Shrootless Bug Allow Hackers To Bypass SIP & Install Rootkits in macOS

Microsoft recently discovered a new macOS vulnerability dubbed as “Shrootless”, this vulnerability allows threat actors to bypass SIP (System Integrity Protection) and install rootkits in macOS.

In macOS, SIP (System Integrity Protection) is one of the protection functions, and it is responsible for limiting the operations that compromise system integrity by the root user.

While they have also detected a technique through which a threat actor can easily elevate their privileges to root a vulnerable Mac system. Even they have also noted that SIP can be bypassed and arbitrary operations can be executed on the compromised system.

Shrootless Vulnerability

The Shrootless vulnerability is tracked under the CVE-2021-30892 identifier by the experts of Microsoft, which resides in the macOS software installation daemon (system_installd).

During the evaluation of Apple’s process of bypassing SIP protection, this vulnerability was identified, and it has been noticed that there is a problem with:- 

How does Apple sign packages

Apple’s post-install scripts

Apple’s installed scripts

To fully bypass SIP filesystem restrictions, the system_installd daemon that had the entitlement allows the threat actors to execute their actions successfully.

A principal security researcher at Microsoft, Jonathan Bar Or stated:-

“We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.”

Threat actors can easily bypass SIP by creating a malicious /etc/zshenv file and then waiting for system_installd to invoke the zsh. Since at the /etc/zshenv the macOS installation daemon always looks for the shell.

Moreover, the Microsoft Security Vulnerability Research (MSVR) has already reported this security flaw to Apple, and Apple promptly released the security patch for this vulnerability two days ago, on October 26.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Published by
Balaji N

Recent Posts

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

16 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

17 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

17 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

18 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

20 hours ago

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw in…

2 days ago