Microsoft Reports ‘Shrootless’ SIP Bypass Vulnerability in macOS
Microsoft 365 Defender Research Team posted a blog post yesterday describing a recently discovered macOS vulnerability that can abuse macOS System Integrity Protection (SIP) inheritance rights to allow execution of arbitrary code with root-level privileges. The vulnerability is listed as CVE-2021-30892 and received the nickname “Shrootless”.
To explain how Shrootless works, we need to review how SIP works. Introduced in 2015 with OS X 10.11 El Capitan (and explained in detail on pages eight and nine of our review), SIP attempts to remove an entire class of vulnerabilities (or at least neutralize their effectiveness) by adding kernel-level protections. against modifying certain files on disk and certain processes in memory, even with root privilege. These protections are (more or less) inviolable unless you deactivate SIP, which cannot be done without restarting in recovery mode and executing a terminal command.
The Shrootless exploit takes advantage of the fact that although root privilege is no longer sufficient to modify important system files, the kernel itself can still modify protected locations as needed. The most obvious example is installing an application. Apple-signed app install packages have the ability to do things normally prohibited by SIP, and that’s where Shrootless comes in.
As explained by Jonathan Bar Or, senior security researcher at Microsoft, in a blog Publish, SIP must be able to temporarily grant immunity to SIP installation packages in order to install items, and it does so by passing this temporary immunity through a built-in inheritance system:
While evaluating the macOS processes allowed to bypass SIP protections, we came across the daemon system_installd, who has the mighty com.apple.rootless.install.inheritable law. With this right, any child process of system_installd would be able to bypass SIP file system restrictions completely.
That in itself is not too much terrifying, because on a normal day there shouldn’t be anything scary out of the system_installd Devil. However, as the Bar Or post notes, some installation packages contain post-install scripts, and macOS runs these post-install scripts by creating an instance of the default system shell, which from Catalina is zsh. When a zsh instance is generated by the installer, it automatically runs its boot file at
/etc/zshenv-and this is the problem, because if an attacker has already modified this file, whatever modifications made by the attacker are executed by zsh with the com.apple.rootless.install.inheritable law.
Bar Or sums it up as follows:
Generally, zshenv could be used as follows:
- A mechanism of persistence. He could just wait zsh to begin with (i.e. globally under / etc or per user).
- A privilege escalation mechanism. The home directory does not change when an administrator user changes to root using sudo -s Where sudo
. So, place a ~ / .zshenv file as administrator and waiting for administrator to use sudo would later trigger the ~ / .zshenv file, thus rising to the root.
Speak CVE, the vulnerability has already been fixed in the three currently supported versions of macOS (Monterey 12.0.1, Catalina with security update 2021-007, and Big Sur 11.6.1). Older unsupported versions of OS X with SIP, meaning OS X 10.11 and later, can still be vulnerable, although this probably depends on whether post-install scripts run with bash behave similarly. same way as with zsh.
The Bar Or blog post does not mention whether Apple paid Microsoft a bug bounty.