The Microsoft 365 Defender Research Team recently discovered a new macOS vulnerability nicknamed “Shrootless” and tracked it as CVE-2021-30892, a vulnerability that can misuse privilege inheritance in macOS ‘System Integrity Protection (SIP) thereby giving room for the execution of arbitrary code with root privileges.<\/p>\n\n\n\n
Reportedly, the vulnerability has already been patched in the three supported versions of macOS (Monterey 12.0.1, Catalina with Security Updates 2021-007, and Big Sur 11.6.1) although there are indications that older versions of OS X running SIP including OS X 10.11 and later may still be vulnerable.<\/p>\n\n\n\n
When examining how Shrootless works, the first thing to understand is how SIP works. SIP as we have it adds kernel-level that prevent certain files on the disk and certain processes in memory from being changed, even with root privileges.<\/p>\n\n\n\n
The bug then takes advantage of the fact that the kernel can modify protected locations as needed, even if root privileges are no longer sufficient to modify important system files.<\/p>\n\n\n