Apple recently patched a vulnerability that allows attackers with root privileges to bypass System Integrity Protection (SIP) to install “unremovable” malware and access victim’s private data by bypassing security controls Transparency, Consent, and Control (TCC).
System Integrity Protection (SIP), also known as “rootless”, is a macOS security mechanism that prevents potentially malicious software from modifying certain folders and files by placing restrictions on the root user account and its capabilities in protected areas of the operating system.
SIP works on the principle that only Apple-signed processes or those with special rights, such as Apple software updaters and installers, should be allowed to modify macOS-protected components.
It is also important to note that there is no method to disable SIP without rebooting the system and booting macOS Recovery (the built-in recovery system), which requires having physical access to an already compromised device.
However, Microsoft researchers found that attackers with root permissions could bypass the SIP security enforcement by abusing the macOS Migration Assistant utility, a built-in macOS application that uses the systemmigrationd daemon with SIP bypass capabilities. from his com.apple.rootless.install. hereditary right.
Researchers demonstrated that attackers with root permissions could automate the migration process with AppleScript and launch a malicious payload after adding it to SIP’s exclusion list without rebooting the system and booting from macOS Recovery .
“By focusing on system processes signed by Apple with the com.apple.rootless.install.heritable privilege, we found two child processes that could be tampered with to obtain the execution of arbitrary code in a security context that bypasses SIP checks”, the The Microsoft Threat Intelligence team said.
Arbitrary SIP bypasses carry significant risks, especially when exploited by malware writers, as they allow malicious code to have far-reaching effects, including the creation of SIP-protected malware that cannot be deleted using standard deletion methods.
They also greatly expand the attack surface and could allow attackers to tamper with system integrity by executing arbitrary kernel code and potentially installing rootkits to hide malicious processes and files from security software.
Bypassing SIP protection also allows complete bypassing of Transparency, Consent, and Control (TCC) policies, allowing threat actors to override TCC databases and gain unrestricted access to the private data of the victim.
This is not the first macOS vulnerability reported by Microsoft researchers in recent years, along with another SIP bypass nicknamed Shrootless reported in 2021, allowing attackers to perform arbitrary operations on compromised Macs, elevate privileges to root, and potentially install rootkits on vulnerable devices.
More recently, Jonathan Bar Or, senior security researcher at Microsoft, also discovered a security flaw. said Achilles which attackers could exploit to deploy malware via untrusted applications capable of circumventing Gatekeeper’s execution restrictions.
He also has discovered powerdiranother macOS security bug that may allow attackers to bypass Transparency, Consent, and Control (TCC) technology to access protected user data.