While the full slides of the talks can be found here I wanted to also blog about the vulnerability. Via this attack, malware can modify OS components and system files, or insert itself into SIP protected directories, preventing its removal even by code running as root! As Apple has yet to fix this vulnerability, this currently is a 0day. Besides discovering that VmWare does not verify important boot image signatures (seriously, rly guys?!), I uncovered a way to abuse the OS upgrade/installer application to bypass the OS-level file protections provided by SIP. Recently I gave a presentation at both ZeroNights in Moscow and Syscan360 in Shanghai were I detailed some research into the Recovery OS and the local OS X upgrade process (i.e. However, what good is a security mitigation if it can be bypassed and worse yet, used in a manner that actually can afford malicious code more protections!? Good question ) This says to the system, "hey OS, even if SIP is enabled, I'm allowed to update core OS/system files." Since entitlements are embedded in the code signature, and thus can be cryptographically verified, the OS will 'agree', allowing the entitled installer application to proceed and modify any file on the file system.Īt this point, we have a decent understanding of the goals of Apple's System Integrity Protection and how, at a basic level it works and is enforced. Patrick$ codesign -d -entitlements - /System/Library/PrivateFrameworks/amework/Versions/A/Resources/system_shoveĪs expected, it contains an entitlement,. To view the current status of System Integrity Protection, one can use the csrutil utility, with the 'status' flag: (For details on the OS X sandbox, see "The Apple Sandbox"). Basically, as described by Esser, SIP is "mostly a sandbox around the whole system/platform" that is internally called a "platform profile." This sandbox profile, enforced by the sandbox logic in the kernel ( Sandbox.kext, etc), denies the aforementioned operations such as modifying OS components. Now, thanks to SIP, gaining root does not mean total system compromise and the 'damage' such malware can achieve is limited.Īs the implementation details of System Integrity Protection have been covered before, (for example in Esser's "OS X El Capitan - Sinking the S/H/IP" presentation) we won't spend too much time on them here. For example here's iWorm authentication prompt:īefore El Capitan, where SIP was not present and code running as root had no permission restrictions, the malware could then do a lot of damage - such as infecting OS components in an very insidious manner. If the user naively provides their login credentials, the malicious code will be elevated root. Such malware when executed by the user, will often display an authentication prompt. cracked versions of Photoshop, infected BitTorrent clients, or fake installers (e.g. attach to system processes to debug or inject intoįrom a security point of view, SIP is great idea! Why? Well currently most Mac malware is distributed as trojans (e.g.write to (or modify) system locations or OS components.Specifically, code, even running as root cannot: In other words, even if malware or an attacker gains root privileges, both are 'limited' by what they can do. System Integrity protection restricts the root user account and limits the actions that the root user can perform on protected parts of the Mac operating system." "System Integrity Protection is a security technology in OS X El Capitan and later that's designed to help prevent potentially malicious software from modifying protected files and folders on your Mac. In short SIP is a OS-level security feature that aims to protect Mac users from malicious software. Introduced in El Capitan, System Integrity Protection or SIP (or 'rootless'), is detailed by Apple in various online documents such as "About System Integrity Protection on your Mac" and "System Integrity Protection Guide". Armed with this 0day attack, hackers can modify protected operating system components or make malware that is itself protected by SIP.and thus quite difficult to delete :/ Here, let's dive into the technical details of how an attacker can easily bypass Apple's System Integrity Protection (SIP) on a fully patched macOS system. I recently found myself on yet another lonnnng flight, (~13hrs Shanghai → back home to Hawaii) thus had some time to write! Hooray :) Twitter user pointed out that savy system admins have previously used this technique to customize upgrades and deployments.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |