Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection
It is possible to bypass macOS’s System Integrity Protection (SIP) through the system_installd
daemon. This daemon has the com.apple.rootless.install.heritable
entitlement which means that any process started by the daemon will not be protected by SIP.
While the daemon has multiple uses, one use-case is when Apple signed Package files (.pkg) are being installed. The package will invoke the daemon to install it. The problem is that during post-install, if there are any post-install scripts these will be launched with the default shell, zsh
for most users. zsh
upon starting will look for the /etc/zshenv
file and execute any commands from it. An attacker could create this file and place a malicious script within, leading to unprotected code execution that can avoid SIP.