Microsoft revealed details of a new vulnerability on Thursday. It might allow attackers to circumvent security constraints in macOS and get entire control of the system, enabling them to do arbitrary activities without being detected by typical security measures.
Jonathan Bar Or of the Microsoft 365 Defender Research Team revealed that the vulnerability, nicknamed “Shrootless” and logged as CVE-2021-30892, “lies in how Apple-signed packages with post-install scripts are deployed.” A rogue actor may develop a specifically constructed file that would cause the installation process to be hijacked.
System Integrity Protection (SIP), sometimes known as “rootless,” is a security feature introduced in OS X El Capitan that prevents a root user from executing illegal code or performing activities that might threaten system integrity.
SIP permits only Apple-signed programs or those with appropriate permissions to write to system files and modify protected sections of the system, such as Apple software updates and installers.
The research of the security technologies by Microsoft focused on macOS programs that were allowed to evade SIP safeguards. It was revealed that the “system_installd” software installation daemon allows any of its child processes to bypass SIP filesystem limitations entirely.
As a result, when an Apple-signed program is installed, it starts the system_installd daemon, and any post-install scripts in the package are run using the default shell, which on macOS is Z shell (zsh).
A malicious program that successfully exploits CVE-2021-30892 might be able to manipulate protected areas of the file system, including the ability to install malicious kernel drivers (called rootkits), rewrite system files, or install persistent, undetectable malware. As part of security upgrades handed out on October 26, 2021, Apple fixed the issue with new limitations.