Shrootless, or CVE-2021-30892, is a new, OS-level vulnerability that could allow threat actors to circumvent security restrictions, known as System Integrity Protection (SIP), in macOS to take over the device. Once this is done, hackers could perform various arbitrary operations without being detected by security solutions. Details about the vulnerability were disclosed by Microsoft.
CVE-2021-30892: “Shrootless” macOS Vulnerability that Bypasses SIP
What is System Integrity Protection? SIP is a security feature in macOS, designed to restrict root users from performing operations that could compromise system integrity. Microsoft said they discovered the SIP flaw “while assessing processes entitled to bypass SIP protections.”
This is how the team discovered the vulnerability stems from the way Apple-signed packages with post-install scripts get installed. А threat actor could create a specific file to hijack the installation process, bypass the restrictions, and install a malicious kernel driver or rootkit. If this is achieved, the attacker could also overwrite system files and install persistent malware, among other dangers stemming from the vulnerability.
“This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit. As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases,” Microsoft 365 Defender Research Team pointed out.
How does the CVE-2021-30892 vulnerability work?
Microsoft assessed the SIP technology, and discovered a software installation daemon known as “system_instald”. The daemon enables child processes to bypass SIP. What does this mean? When an Apple-signed package is installed on the device, it invokes the system_installd daemon, which executes any post-install scripts contained in the package by invoking a default shell:
While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
The team also examined all the child processes of system_installd, and discovered a few cases that could allow attackers to abuse its functionality and bypass SIP:
For instance, when installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former. If the package contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh.
A proof-of-concept for the Shrootless vulnerability is available.
The team shared their findings to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
In September, Apple released updates for three zero-day flaws exploited in the wild.