We know that many security companies and big tech firms have their own teams that discover flaws and vulnerabilities in software and communicate it privately with the software's vendor so that a fix can be released. Some teams, such as Google's Project Zero, also give vendors a deadline to issue a patch before revealing details about the vulnerability publicly, as we have seen in the past. Today, Microsoft has shared more details about a macOS vulnerability that it discovered and reported to Apple, and fortunately, a patch is now available.
Microsoft has dubbed this macOS vulnerability "Shrootless". It allows a malicious actor to bypass the OS' System Integrity Protection (SIP) technology to perform arbitrary code execution. During this discovery phase, Microsoft also found a new attack technique that can be utilized to elevate privileges.
Although the company's blog post goes into lots of technical details that you are free to peruse here, the meat of the matter is about how software packages that are signed by Apple and have post-install scripts are installed. Microsoft discovered that an attacker could utilize this mechanism for malicious purposes by creating a custom package that can hijack the install process. After bypass, the attacker would be free to install rootkit and undetectable malware, and even overwrite system files without SIP blocking it.
Essentially, all of this is possible due to a design flaw. There are some cases in which software packages require access to SIP-protected directories, a prominent example being system updates. Some entitlements assigned by Apple to such packages are com.apple.rootless.install and com.apple.rootless.install.inheritable, which enables the bypass of SIP checks. Microsoft described the weakness in this mechanism as follows:
While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether.
Since Microsoft Defender for Endpoint has a post-breach component, we decided to examine all the child processes of system_installd. To our surprise, we saw a few cases that could allow attackers to abuse its functionality and bypass SIP.
For instance, when installing an Apple-signed package (.pkg file), the said package invokes system_installd, which then takes charge of installing the former. If the package contains any post-install scripts, system_installd runs them by invoking a default shell, which is zsh on macOS. Interestingly, when zsh starts, it looks for the file /etc/zshenv, and—if found—runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious /etc/zshenv file and then wait for system_installd to invoke zsh.
As mentioned before, during this process, Microsoft also discovered that zshenv could be utilized as a general attack pattern rather than just Shrootless. Abuse of this shell could lead to elevation of privileges.
Naturally, Microsoft shared its findings privately with Apple as a part of the usual Coordinated Vulnerability Disclosure (CVD) process. Apple acknowledged the issue, prepared a fix, and released the patch to the public on October 26, 2021. Apple has also acknowledged Microsoft's contribution to the matter in the security patch notes for macOS Monterey, Catalina, and Big Sur. The vulnerability is tagged as CVE-2021-30892 and you can also find more details about it here.