According to Microsoft, the new shrootless bug can allow attackers to install Rootkit on macOS Systems. Further enabling them to take total control of the device to perform arbitrary operations without getting flagged by traditional security solutions.
The vulnerability is tracked as CVE-2021-30892 and lies in how Apple-signed packages with post-install scripts are installed.
According to Jonathan Bar Or from Microsoft 365 Defender Research Team, “A malicious actor could create a specially crafted file that would hijack the installation process.”
The security feature called System Integrity Protection (SIP) aka “rootless” introduced in OS X El Capitan is designed to protect the macOS operating system. It restricts root user from executing unauthorized code or performing operations as it may compromise system integrity.
The protected parts of the system such as /System, /usr, /bin, /sbin, and /var are modified via SIP uniquely by processes signed by Apple or those with special entitlements to write to system files this includes Apple software updates and Apple installers. It also automatically authorizes apps that are downloaded from the Mac App Store.Microsoft discovered a software installation daemon called “system_installd” that enables any of its child processes to completely circumvent SIP filesystem restrictions while looking at the security technology taken care of by macOS processes entitled to bypass SIP protections.
This leads to using the system_installd daemon, and any post-install scripts contained in the package is executed by invoking a default shell, which is Z shell (zsh) on macOS when an Apple-signed package is being installed
Bar Or explained, “Interestingly, when zsh starts, it looks for the file /etc/zshenv, and — if found — runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh.”
With the successful exploitation of CVE-2021-30892, bad actors can enable a malicious application to modify protected parts of the file system. Further, they can also install malicious kernel drivers (aka rootkits), overwrite system files, or install persistent, undetectable malware.
Bar Or further added, “Security technology like SIP in macOS devices serves both as the device’s built-in baseline protection and the last line of defense against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons.”