A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.
“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined the exploit in detail.
The exploit is unique in that it doesn’t use memory corruption, an common attacker exploit. Instead, the attack exploits a longstanding vulnerability in OS X’s security schemes to gain near-total control over any Mac.
The even crazier thing, however, is that this exploit not only bypasses System Identity Protection but can actively use it to ensure changes made to the system aren’t repaired, something Vilaça calls a SIP “protection racket”.
SIP was introduced with OS X 10.11, El Capitan. It prevents users from changing core system files entirely, even if they enter a root password (hence the nickname “rootless”: there effectively is not a root user). Bypassing SIP and making changes means users cannot undo the changes without first disabling SIP.
Even worse, this exploit is hard to detect using traditional methods.
It all sounds awful, but happily there is no evidence of this exploit being used in the wild, and SentinelOne has informed Apple of the problems. Patches will be out soon.
Vilaça, for what it’s worth, is not blaming Apple.
“Designing security systems is hard,” Vilaça’s slides say at the end of the talk. “Move to defense and give it a try.”
You can read the presentation slides here. It’s a good overview, though a lot of the details seem to be mentioned on-stage and are not on the slides. Here’s hoping a longform version will come out soon.