Security News > 2021 > October > New 'Shrootless' Bug Could Let Attackers Install Rootkit on macOS Systems

Microsoft on Thursday disclosed details of a new vulnerability that could allow an attacker to bypass security restrictions in macOS and take complete control of the device to perform arbitrary operations on the device without getting flagged by traditional security solutions.

System Integrity Protection aka "Rootless" is a security feature introduced in OS X El Capitan that's designed to protect the macOS operating system by restricting a root user from executing unauthorized code or performing operations that may compromise system integrity.

Specifically, SIP allows modification of protected parts of the system - such as /System, /usr, /bin, /sbin, and /var - only by processes that are signed by Apple or those that have special entitlements to write to system files, like Apple software updates and Apple installers, while also automatically authorizing apps that are downloaded from the Mac App Store.

Microsoft's investigation into the security technology looked at macOS processes entitled to bypass SIP protections, leading to the discovery of a software installation daemon called "System installd" that enables any of its child processes to completely circumvent SIP filesystem restrictions.

"Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system installd to invoke zsh."

Successful exploitation of CVE-2021-30892 could enable a malicious application to modify protected parts of the file system, including the capability to install malicious kernel drivers, overwrite system files, or install persistent, undetectable malware.

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/cr3XqOeuXxQ/new-shrootless-bug-could-let-attackers.html