Apple
fixed
a
vulnerability
discovered
by
Microsoft
researchers
that
lets
attackers
with
root
privileges
bypass
System
Integrity
Protection
(SIP).
Researchers
from
Microsoft
discovered
a
vulnerability,
tracked
as CVE-2023-32369
and
dubbed
Migraine,
that
can
allow
attackers
with
root
privileges
to
bypass
System
Integrity
Protection
(SIP).
System
Integrity
Protection (also
referred
to
as
rootless)
is
a
macOS
security
feature
introduced
in
OS
X
El
Capitan
(2015)
(OS
X
10.11).
SIP
technology
restricts
a
root
user
from
performing
operations
that
may
compromise
system
integrity.
Once
an
attacker
has
bypassed
SIP
root
restrictions
it
can
install
“undeletable”
and
persistent
malware
and
access
sensitive
data
on
the
device.
By
design,
SIP
only
allows
processes
signed
by
Apple
or
those
with
special
entitlements
(i.e.,
Apple
software
updates
and
Apple
installers)
to
modify
these
protected
parts
of
macOS.
The
researchers
reported
that
a
threat
actor
could
create
a
specially
crafted
file
that
would
hijack
the
installation
process.
According
to
Apple’s
advisory,
the
logical
issue
can
be
exploited
by
an
app
to
modify
protected
parts
of
the
file
system.
The
IT
giant
credited
Jonathan
Bar
Or
of
Microsoft,
Anurag
Bohra
of
Microsoft,
and
Michael
Pearse
of
Microsoft
for
reporting
the
flaw.
Apple
has
addressed
the
vulnerability
with
the
release
of
security
updates
for macOS
Ventura
13.4, macOS
Monterey
12.6.6,
and macOS
Big
Sur
11.7.7.
The
researchers
pointed
out
that
it
is
not
possible
to
turn
off
SIP
on
a
live
system.
The
only
way
to
disable
SIP
is
to
restart
the
system
using
the
recovery
OS,
which
requires
physical
access
to
the
device.
Only
processes
signed
by
Apple
or
those
possessing
a
special
entitlement
(a
right
or
privilege
that
grants
an
executable
particular
capabilities),
such
as
Apple
software
updates
and
installers,
should
alter
macOS-protected
components.
The
researchers
from
Microsoft
abused
the
macOS
Migration
Assistant
utility
to
bypass
SIP
protection.
“During
a
routine
malware
hunt,
we
discovered
the
execution
of
a
binary
called drop_sip”
reads
the
analysis
published
by
Microsoft.
“Thinking
that
we
found
an
exploit
in
the
wild,
we
found
that
it’s
an
Apple-signed
binary
that
resides
natively
under
the /System/Library/PrivateFrameworks/SystemMigrationUtils.framework/Resources/Tools/drop_sip path.”””
“Because
of
this
behavior,
we
concluded
the drop_sip process
assumes
it
can
bypass
SIP.
However,
since drop_sip is
not
entitled
with
any
SIP-bypassing
entitlements,
we
concluded
that
it
must
inherit
that
capability.
We
discovered
its
parent
process
is systemmigrationd,
which
is
a
daemon
designed
to
handle
migration
scenarios,
but
most
importantly,
it’s
entitled
with
the com.apple.rootless.install.heritable entitlement
that
allows
its
child
processes
to
bypass
SIP
security
checks”
The
experts
discovered
that
the
macOS
Migration
Assistant
utility
uses
the
systemmigrationd
daemon
which
is
able
to
bypass
SIP
because
it
is
entitled
to
the
com.apple.rootless.install.heritable
entitlement.
The
researchers
were
able
to
automate
the
exploit
using
AppleScript and
execute
a
malicious
code
that
is
designed
to
run
without
SIP
filesystem
restrictions without
restarting
the
system
and
booting
from
macOS
Recovery.
Below
is
a
video
PoC
that
shows
the
exploitation
of
the
flaw:
https://www.microsoft.com/en-us/videoplayer/embed/RW14MaR
The
consequences
of
arbitrary
bypasses
of
System
Integrity
Protection
(SIP)
could
be
very
dangerous,
malware
developers
can
exploit
it
to:
-
Create
undeletable
malware:
Attackers
can
create
files
with
the
“com.apple.rootless”
extended
attribute
or
overwrite
existing
files
with
it.
These
files
are
then
protected
by
SIP
and
cannot
be
deleted
by
ordinary
means.
Security
solutions
like
Microsoft
Defender
for
Endpoint,
which
rely
on
quarantining
malware,
are
unable
to
quarantine
files
protected
by
SIP.
This
limitation
underscores
the
importance
of
addressing
SIP
bypasses
to
ensure
effective
malware
containment
and
security
measures. -
Expand
the
attack
surface
for
userland
and
kernel
attacker
techniques:
Attackers
can
gain
arbitrary
kernel
code
execution.
As
Apple
slowly
disallows
third
party
kernel
extensions
and
transitions
the
Mac
ecosystem
towards
their Endpoint
Security framework,
security
solutions
will
no
longer
be
able
to
monitor
the
kernel
for
malicious
activity,
including
malicious
code
executions. -
Tamper
with
the
integrity
of
the
system,
effectively
enabling
rootkits:
This
is
a
derivation
of
arbitrary
kernel
code
execution—once
kernel
code
execution
is
established
by
an
attacker,
certain rootkit
techniques are
possible,
such
as
hiding
processes
or
files
from
all
monitoring
tools.
These
techniques
might
also
include
bypassing tamper
protection,
which
is
important
for
Microsoft
Defender
for
Endpoint
to
protect
against
threats. -
Full
TCC
bypass:
attackers
could
replace
databases
that
control
Transparency,
Consent,
and
Control
(TCC)
policies
(TCC.db),
thereby
enabling
unauthorized
applications
to
gain
unrestricted
access
to
sensitive
data
and
connected
devices.
This
isn’t
the
first
time
that
Microsoft
discovered
a
vulnerability
in
macOS
that
can
allow
attackers
with
root
privileges
to
bypass
SIP.
In
October
2021,
Microsoft
discovered
a
flaw,
dubbed Shrootless (CVE-2021-30892),
that
can
allow
attackers
to
bypass
System
Integrity
Protection
(SIP)
and
perform
malicious
activities,
such
as
gaining
root
privileges
and
installing
rootkits
on
vulnerable
devices.
Follow
me
on
Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, macOS)