Search This Blog

Powered by Blogger.

Blog Archive

Labels

Microsoft: Shrootless Bug Allows Hackers Install macOS Rootkits

After circumventing SIP's restrictions, the attacker could overwrite system files or install undetectable malware.

 

A new macOS vulnerability found by Microsoft could be used by attackers to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers. 

The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR). SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous programs from editing protected folders and files by restricting the root user account's ability to conduct operations on protected sections of the OS. 

SIP permits only processes signed by Apple or those with specific entitlements (i.e., Apple software updates and Apple installers) to change these protected sections of macOS. Microsoft researchers found the Shrootless security flaw after finding that the system_installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP filesystem limitations. 

Jonathan Bar Or, a principal security researcher at Microsoft stated, "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." 

With the security upgrades released on October 26, Apple addressed the security vulnerability. According to Apple's security alert, "a malicious programme may be able to manipulate protected areas of the file system." 

"We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue," Jonathan Bar Or added.

Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques. 

The trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notorious for being able to infect Macs despite Apple's YARA signature-based XProtect built-in antivirus.
Share it:

Apple

Flaws

macOS

Root Privilege

Rootkit

Shrootless Bug

Vulnerabilities and Exploits