Researchers at Perception Point write about CVE-2022-22583, a successor to Shrootless that could let attackers bypass Mac System Integrity Protection (SIP). It was patched yesterday in macOS Monterey 12.2, macOS Big Sur 11.6.3 and Security Update 2022-001 Catalina. Apple shared the credit for this CVE between three researchers: Mickey Jin (@patch1t), Ron Hass (@ronhass7) of Perception Point and an anonymous researcher.
Perception Point says this new zero day is a successor to the one Microsoft found last year, dubbed “shrootless.” Microsoft researchers noticed that when the user installs an Apple-signed package, it is automatically executed by the service “system_installd.” If the package contains any pre/post-install scripts, they are also executed by “system_installd” and inherit the “com.apple.rootless.install.heritable” entitlement, which allows these scripts to fully bypass SIP’s filesystem restrictions.
If one of the pre/post-install scripts was a zsh script, “system_installd” would execute zsh (z-shell) which would source the “/etc/zshenv” file. SIP doesn’t restrict this file and it can be modified by root. Any code inside it would run and thus bypass SIP whenever an Apple-signed package with a zsh script is installed. Apple fixed it by stopping zsh from sourcing “/etc/zshenv.”
Perception Point found a macOS directory /tmp isn’t restricted by SIP. Here are the steps the team took:
- Create a virtual image file and mount it onto “/private/tmp”.
- Install an Apple-signed package with post-install scripts.
- Wait for the installer to finish the extraction of the scripts directory, and gather the random parts of the extracted path.
- Unmount the image file, thus reverting to the contents of “/private/tmp” before the extraction.
- Create the scripts directory by ourselves (with the random path we gathered earlier) and deposit there whatever scripts we want.
Any script we put as the “post-install script” inherits the “com.apple.rootless.install.heritable” entitlement from “system_installd” and is able to fully bypass SIP restrictions.
In macOS 12.2, Apple changed the extraction destination to a new directory: “/Library/Apple/System/Library/InstallerSandboxes.” Apple also prevents mount attempts onto the “/Library/ directory when SIP is enabled.