Microsoft Uncovers macOS Flaw Allowing Hackers to Bypass SIP Root Restrictions

May 30, 2023

Apple has recently fixed a vulnerability, dubbed Migraine and tracked as CVE-2023-32369, that allowed attackers with root privileges to bypass System Integrity Protection (SIP) and install 'undeletable' malware. The flaw also enabled hackers to access victims' private data by circumventing Transparency, Consent, and Control (TCC) security checks. Microsoft security researchers discovered the vulnerability and reported it to Apple. The tech giant has since released patches in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 on May 18.

System Integrity Protection (SIP), also known as 'rootless,' is a security feature in macOS designed to prevent potentially harmful software from modifying certain folders and files. SIP imposes restrictions on the root user account and its capabilities within protected areas of the operating system. The principle behind SIP is that only processes signed by Apple or those with special entitlements, such as Apple software updates and installers, should be allowed to alter macOS-protected components. It is worth noting that SIP cannot be disabled without restarting the system and booting off of macOS Recovery, which requires physical access to an already compromised device.

Microsoft's researchers found that attackers with root permissions could bypass SIP security enforcement by exploiting the macOS Migration Assistant utility. This built-in macOS app uses the systemmigrationd daemon with SIP-bypassing capabilities due to its com.apple.rootless.install.heritable entitlement. The researchers demonstrated that attackers with root permissions could automate the migration process with AppleScript and execute a malicious payload after adding it to SIP's exclusions list without restarting the system and booting from macOS Recovery. The Microsoft Threat Intelligence team explained, "By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks."

Arbitrary SIP bypasses pose significant risks, particularly when exploited by malware creators. Malicious code can have far-reaching effects, such as creating SIP-protected malware that cannot be removed using standard deletion methods. Furthermore, they significantly increase the attack surface, potentially allowing attackers to compromise system integrity through arbitrary kernel code execution and the installation of rootkits to conceal malicious processes and files from security software. Bypassing SIP protection also leads to a complete bypass of Transparency, Consent, and Control (TCC) policies, enabling threat actors to replace TCC databases and gain unrestricted access to victims' private data.

This is not the first macOS vulnerability reported by Microsoft researchers in recent years. Another SIP bypass, called Shrootless, was reported in 2021, which allowed attackers to perform arbitrary operations on compromised Macs, escalate privileges to root, and potentially install rootkits on vulnerable devices. More recently, Microsoft principal security researcher Jonathan Bar Or discovered a security flaw known as Achilles, which attackers could exploit to deploy malware via untrusted apps capable of bypassing Gatekeeper execution restrictions. He also found powerdir, another macOS security bug that could let attackers bypass Transparency, Consent, and Control (TCC) technology to access users' protected data.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.