Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

System Integrity Protection (SIP) protects the system from running unauthorized code on macOS. e. The system automatically authorizes apps that the user downloads from the App Store. It is also known as “rootless”; it essentially locks down the system from root by leveraging the Apple sandbox to protect the entire platform.

SIP has added many restrictions over the years; one of these are the filesystem restrictions. The rootless configuration controls which files are SIP protected and there is an extended attribute for this as well. There is a valid way to bypass this though: using the rootless* entitlements, which are used for upgrades and things.

In the past, there have been several bypasses for SIP:

• Abusing dynamic libraries. Similar to DLL hijacking, there was a bypass that allowed for the insertion of a malicious DLL into a binary with the rootless.*
• In 2020, a mounting vulnerability was found. By directly mounting a .dmg file over a SIP protected folder, SIP could be bypassed.
• Many entitled processes may have security holes, such as fsck_cs. In this case, you could give the utility symbolic links to load SIP protected directories.

Microsoft defender has the com.apple.rootless.install.heritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether. Would it be possible to get this binary to run something that we control?

This was likely exploitable in several scenarios. However, the authors chose to look into system_installd specifically. When installing an Apple-signed package, the package invokes this script and takes charge of the original process. If the package contains any post-install scripts, this is ran via the default shell zsh.

When zsh is executed, it looks for the file /etc/zshenv. If this is found, then the commands are automatically ran from the file. This allows arbitrary actions to be performed in the context of system_installd; hence, in the context of Microsoft Defender.

Overall, this is a great find that required a deep understanding of macOS and the entitlements put in place. The zsh issue likely exists in other places too, meaning it may be a valid exploit technique going forward.