System Integrity Protection (SIP) was implemented in OS X El Capitan and imposes limitations on what actions that Mac computers’ root accounts can take against protected paths of the operating system.
Yesterday at the SysCan360 conference in Singapore, a researcher from SentinelOne disclosed details of a vulnerability that was patched by Apple this week only in El Capitan that if exploited bypasses SIP.
The flaw, researcher Pedro Vilaca said, allows for local privilege escalation and is present in every version of OS X, but was patched only in the latest version, OS X 10.11.4.
“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary,” Vilaca wrote in an advisory published by SentinelOne. “SIP is a new feature, which is designed to prevent potentially malicious software from modifying protected files and folders: essentially to protect the system from anyone who has root access, authorized or not.”
Vilaca said that an attacker would already have to be present on a vulnerable computer via a separate attack.
“The same exploit allows someone to escalate privileges and also to bypass system integrity. In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency,” Vilaca wrote. “It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes. This kind of exploit could typically be used in highly targeted or state sponsored attacks.”
Given that it’s a local attack, Rapid7 senior security consultant Guillaume Ross said that an attacker could use this bug to move laterally on a network.
“For systems administrators managing OS X servers used by multiple users through SSH or screen-sharing, or for shared OS X computers such as those found in schools, this vulnerability should be considered very dangerous, as legitimate users could attempt to use it to elevate privileges and take control of the system, or other users’ data,” Ross said.
“Privilege escalation/elevation bugs like this are often used as a second step – they come after an attack or where malware has taken control of the system to access more information or modify the system further,” Ross added. “For this vulnerability to be exploited, something else must be leveraged in the first instance, such as, existing malware on the system or another vulnerability that can be exploited remotely, or legitimate access to the computer.”
Vilaca added that exploits would be difficult to detect.
“The nature of this particular exploit enables it to evade defenses by utilizing very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss,” he said.