Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection

We discussed this vulnerability during Episode 97 on 08 November 2021

It is possible to bypass macOS’s System Integrity Protection (SIP) through the system_installd daemon. This daemon has the com.apple.rootless.install.heritable entitlement which means that any process started by the daemon will not be protected by SIP.

While the daemon has multiple uses, one use-case is when Apple signed Package files (.pkg) are being installed. The package will invoke the daemon to install it. The problem is that during post-install, if there are any post-install scripts these will be launched with the default shell, zsh for most users. zsh upon starting will look for the /etc/zshenv file and execute any commands from it. An attacker could create this file and place a malicious script within, leading to unprotected code execution that can avoid SIP.