The Microsoft 365 Defender Analysis Staff released a blog post yesterday describing a newly discovered macOS vulnerability that may abuse entitlement inheritance in macOS’s System Integrity Safety (SIP) to permit execution of arbitrary code with root-level privilege. The vulnerability is listed as CVE-2021-30892 and has been given the nickname “Shrootless.”
To clarify how Shrootless works, we have to overview how SIP capabilities. Launched again in 2015 with OS X 10.11 El Capitan (and defined intimately on pages eight and nine of our review), SIP makes an attempt to eliminate a complete class of vulnerabilities (or a minimum of neuter their effectiveness) by including kernel-level protections towards altering sure information on disk and sure processes in reminiscence, even with root privilege. These protections are (kind of) inviolable except one disables SIP, which can’t be achieved with out rebooting into restoration mode and executing a terminal command.
The Shrootless exploit takes benefit of the truth that, whereas root privilege is not enough to alter vital system information, the kernel itself nonetheless can—and does—alter protected areas as wanted. The obvious instance is when putting in an utility. Apple-signed utility set up packages have the flexibility to do issues usually prohibited by SIP, and that is the place Shrootless slides in.
As defined by Microsoft Senior Safety Researcher Jonathan Bar Or in a weblog post, SIP should be capable to quickly grant installer packages immunity from SIP so as to set up stuff, and it does this by handing down that momentary immunity via a built-in inheritance system:
Whereas assessing macOS processes entitled to bypass SIP protections, we got here throughout the daemon system_installd, which has the highly effective com.apple.rootless.set up.inheritable entitlement. With this entitlement, any youngster technique of system_installd would be capable to bypass SIP filesystem restrictions altogether.
That by itself is not too terrifying, since on a traditional day, there should not be something scary forked off of the system_installd daemon. Nonetheless, as Bar Or’s put up notes, some set up packages include post-install scripts, and macOS runs these post-install scripts by spawning an occasion of the default system shell, which, as of Catalina, is zsh. When a zsh occasion is spawned by the installer, it routinely runs its startup file at
/and so on/zshenv—and that is the issue, as a result of if an attacker has beforehand modified that file, no matter modifications the attacker made are executed by zsh with the com.apple.rootless.set up.inheritable entitlement.
Bar Or sums issues up thusly:
Usually, zshenv might be used as the next:
- A persistence mechanism. It might merely look ahead to zsh to start out (both globally underneath /and so on or per person).
- An elevation of privilege mechanism. The house listing doesn’t change when an admin person elevates to root utilizing sudo -s or sudo
. Thus, inserting a ~/.zshenv file because the admin and ready for the admin to make use of sudo later would set off the ~/.zshenv file, therefore elevating to root.
Per the CVE, the vulnerability has already been patched in all three at present supported variations of macOS (Monterey 12.0.1, Catalina with Safety Replace 2021-007, and Huge Sur 11.6.1). Older unsupported variations of OS X with SIP—which suggests OS X 10.11 and later—would possibly nonetheless be susceptible, although that doubtless hinges on whether or not post-install scripts executed with bash behave the identical method they do with zsh.
Bar Or’s weblog put up doesn’t point out whether or not Apple paid Microsoft a bug bounty.