Integrity Protection (SIP) and perform arbitrary activities on a device. We have discovered a similar technique that could allow an attacker to get root access to an afflicted device by using their privileges. We informed Apple about our findings through CVD, MSVR.
Microsoft 365 Defender Researchers reported that , “A malicious actor could create a specially crafted file that would hijack the installation process.” The vulnerability lies in how Apple published security updates on October 26, 2021 that contained a patch for this vulnerability, now known as CVE-2021-30892.
A vulnerability in macOS has been identified by Microsoft, which might allow an attacker to circumvent System Integrity Protection (SIP) and perform arbitrary activities on a device. We have discovered a similar technique that could allow an attacker to get root access to an afflicted device by using their privileges. We informed Apple about our findings through CVD, MSVR.
SIP—also known as “rootless” was first introduced by Apple in macOS Yosemite and essentially shuts down the system from root by giving the Apple sandbox to safeguard the entire platform.
csr-active-config: bitmask of enabled protections
csr-data: stores netboot configuration
These variables cannot be modified in non-recovery mode. This is the only way to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in csrutil tool, which can also display the SIP status:
If any of these protection could enable to bypass SIP completely.
The following are :
- Untrusted kernel extensions could compromise the kernel by allowing them to perform actions without being checked.
- Bypassing filesystem checks, a kernel extension may totally enforce SIP on itself.
- SIP might be controlled by altering the NVRAM at will.
- Apple reported it with new restrictions. A malicious application that successfully exploits CVE-2021-30892 could be able to manipulate protected areas of the file system, including the ability to install malicious kernel drivers (called rootkits), overwrite system files, or install persistent, undetectable malware.
Bar Or Explained that ,”In macOS devices, security technology like SIP serves as the device’s built-in baseline protection as well as the device’s last line of defence against malware and other cybersecurity threats. Unfortunately, the actors continue to devise new ways to overcome these barriers.”
To create a fully functional proof-of-concept (POC) exploit, we implemented the following algorithm:
- Download an Apple-signed package (using wget) that is known to have a post-install script.
- Plant a malicious /etc/zshenv that would check for its parent process; if it’s system_installd, then it would write to restricted locations.
- Invoke the installer utility to install the package.
Finally, the necessity of collaboration among security researchers, software providers, and the broader security community is highlighted by this study. Vulnerability findings, coordinated response, and other types of threat information sharing assist strengthen our protection solutions, which secure users’ computing experiences regardless of the platform or device they’re using, as cross-platform threats continue to grow.