Shrootless bug lets hackers install macOS rootkits

Posted on

Attackers could use a new macOS vulnerability discovered by Microsoft to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate root privileges and install rootkits on vulnerable devices.

The Microsoft 365 Defender Research Team reported the vulnerability, named Shrootless (now tracked as CVE-2021-30892) to Apple through Microsoft Security Vulnerability Research (MSVR).

SWALLOW (also known as rootless) is a macOS security technology that prevents potentially malicious software from modifying protected folders and files by restricting the root user account and the actions it can take on protected parts of the operating system.

SIP only allows processes signed by Apple or those with special authorizations (e.g. Apple software updates and Apple installers) to change these protected parts of macOS.

“We discovered that the vulnerability lies in the way Apple-signed packages are installed using post-install scripts. A malicious actor could create a specially crafted file that hijacked the installation process. ” explained Jonathan Bar Or, Senior Security Researcher at Microsoft.

“After circumventing the restrictions of SIP, the attacker could, among other things, install a malicious kernel driver (rootkit), overwrite system files or install persistent, undetectable malware.”

Shrootless PoC exploit
Shrootless PoC exploit (Microsoft)

Apple has released a fix to address the vulnerability with the Security updates published two days ago, on October 26th.

“A malicious application can potentially modify protected parts of the file system,” Apple said in the Security notice.

Apple fixed the inherited permissions issue behind the Shrootless bug with additional restrictions.

“We’d like to thank the Apple Product Safety team for their professionalism and responsiveness in fixing the issue,” added Jonathan Bar Or.

Last week Microsoft also reported results new variants of the macOS WizardUpdate malware (also tracked as UpdateAgent or Vigram), updated to use new evasion and persistence tactics.

This Trojan delivers tier two malware payloads, including Adload, an active malware strain since the end of 2017 and known to be able to slip through Apple’s YARA signature-based XProtect-integrated anti-virus program Infect Macs.

In June, Redmond security researchers also discovered Critical firmware vulnerabilities in some NETGEAR router models that attackers could use to break through corporate networks and move sideways.

News Source

Leave a Reply

Your email address will not be published. Required fields are marked *