Security researchers from Microsoft have discovered a vulnerability dubbed “Shrootless” that can bypass macOS System Integrity Protection (SIP).
SIP is a macOS security technology first introduced in OS X El Capitan and later versions that is designed to help prevent potentially malicious software from modifying protected files and folders on Apple Macs.
Apple patched the Shrootless vulnerability (CVE-2021-30892) in zsh on macOS last week as part of macOS security updates for Catalina, BigSur and Monterey. The vulnerability could allow a malicious application to modify protected parts of the file system.
The Microsoft 365 Defender Research Team described the issue in a recent blog post:
We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.Microsoft
Microsoft further described additional details in the post on Shrootless and notable SIP bypasses, such as abusing dynamic libraries, mounting, and abusing entitlements.