- May 30, 2023
- 03:20 PM
- 3
Apple has recently addressed a vulnerability that lets attackers with root privileges bypass System Integrity Protection (SIP) to install "undeletable" malware and access the victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks.
Discovered and reported to Apple by a team of Microsoft security researchers, the flaw (dubbed Migraine) is now tracked as CVE-2023-32369.
Apple has patched the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, released two weeks ago, on May 18.
System Integrity Protection (SIP), also known as 'rootless,' is a macOS security mechanism that prevents potentially malicious software from altering certain folders and files by imposing restrictions on the root user account and its capabilities within protected areas of the operating system.
SIP operates under the principle that only processes signed by Apple or those possessing special entitlements, such as Apple software updates and installers, should be authorized to alter macOS-protected components.
It's also important to note that there's no method to disable SIP without restarting the system and booting off of macOS Recovery (the built-in recovery system)—which requires having physical access to an already compromised device.
However, Microsoft's researchers found that attackers with root permissions could bypass SIP security enforcement by abusing the macOS Migration Assistant utility, a built-in macOS app that uses the systemmigrationd daemon with SIP-bypassing capabilities stemming from its com.apple.rootless.install.heritable entitlement.
The researchers demonstrated that attackers with root permissions could automate the migration process with AppleScript and launch a malicious payload after adding it to SIP's exclusions list without restarting the system and booting from macOS Recovery.
"By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks," the Microsoft Threat Intelligence team said.
Arbitrary SIP bypasses come with significant risks, especially when exploited by malware creators, as it enables malicious code to have far-reaching effects, including creating SIP-protected malware that can't be removed via standard deletion methods.
They also greatly expand the attack surface and could allow attackers to tamper with system integrity through arbitrary kernel code execution and potentially install rootkits to hide malicious processes and files from security software.
Bypassing SIP protection also enables a complete bypass of Transparency, Consent, and Control (TCC) policies, enabling threat actors to replace TCC databases and gaining granting unrestricted access to the victim's private data.
This is not the first such macOS vulnerability reported by Microsoft researchers in recent years, with another SIP bypass dubbed Shrootless reported in 2021, allowing attackers to perform arbitrary operations on compromised Macs, escalate privileges to root, and potentially install rootkits on vulnerable devices.
More recently, Microsoft principal security researcher Jonathan Bar Or also found a security flaw known as Achilles that attackers could exploit to deploy malware via untrusted apps capable of bypassing Gatekeeper execution restrictions.
He also discovered powerdir, another macOS security bug that can let attackers bypass Transparency, Consent, and Control (TCC) technology to access users' protected data.