This article is more than 1 year old
Apple's fruitless rootless security broken by code that fits in a tweet
Flaws not fully patched in latest versions, says researcher
Code dive Apple's much-hyped rootless security mechanism in OS X can be evaded even in the latest version of the operating system, according to a top researcher.
Apple's rootless design, aka System Integrity Protection (SIP), marks sensitive directories in the computer's file system as being off-limits even to the root user.
Normally, on Unix-flavored OSes, root is all powerful and can do whatever it likes. Well, Apple hates that idea: it means malware with elevated privileges or a clumsy user can infect or trash vital executables and other files. On OS X El Capitan, root is no longer allowed to rule the roost and take over all aspects of the computer.
The way SIP works is simple: mark /System, /bin, /sbin and /usr except /usr/local with a special flag that means only programs with a particular attribute can modify files in those directories. And very few programs – the software update tool being one of them – are given this special com.apple.rootless permission to access SIP-guarded folders. A shell running as root certainly doesn't have it.
There are other restrictions imposed by SIP, such as limiting the debugging of certain apps and the blocking of certain kernel extensions from being loaded.
Earlier this month, Apple squashed a logic bug in SIP found by SentinelOne researcher Pedro Vilaça. It could be exploited by software already running on a Mac to bypass Apple's SIP defenses, rendering the safeguards useless. Vilaça demonstrated at the SyScan360 2016 conference the design weakness using GDB to modify and create files in /System as a normal root user.
However, flaws within SIP remain. One problem is that just like bugs lingered in root-owned setuid binaries that were exploited by hackers, flaws present in SIP-entitled programs can be abused, too.
Stefan Esser of German security biz SektionEins also gave a talk at this year's SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register "everything in my slides is unfixed" by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.
The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. The kas_info() bug leaked the kernel's ASLR slide to the root user, and was fixed in v10.11.3.
That, we're told, leaves some vulnerabilities that remain today in a fully patched OS X 10.11.4, which can be exploited by bad software to claw back all-powerful root access. One example Esser gave is /sbin/fsck_cs, which verifies and repairs CoreStorage logical volume groups. It has the com.apple.rootless.install attribute, meaning it can modify SIP-protected files.
Here's how you can use it to wreck a crucial OS X configuration file that not even root is normally allowed to touch; the code fits in a tweet:
Disable AppleKextExcludeList to pwn SIP on 10.11.4: ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot— Stefan Esser (@i0n1c) March 28, 2016
This expands out to...
ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX fsck_cs /dev/diskX 1>&- touch /Library/Extensions/ reboot
...which creates a symbolic link to AppleKextExcludeList.kext's Info.plist from /dev/diskX, and then gets fsck_cs to work on /dev/diskX and pipe stdout to that linked Info.plist file, thus trashing it with garbage. We then touch all the extensions and reboot to let our changes take effect. We can do all this on the locked-out /System file because fsck_cs has the all important com.apple.rootless.install attribute.
The aforementioned Info.plist file, now destroyed, is used by SIP to whitelist some kernel extensions and specifically block others from being loaded. It normally blacklists Apple's own kernel extension AppleHWAccess.kext, but with the configuration file destroyed, we can now load it and use it to read and write as we please from and to system RAM.
It's game over at this point for Apple's space-age SIP technology, and now a process running as root can once again do exactly as it pleases, according to Esser.
He also pointed out what he calls a backdoor in OS X's dyld_sim executable. "It took years to eradicate exploitable bugs from SUID binaries. Apple has to harden every single binary they gave entitlements," Esser noted in his talk.
If you can run software on someone's Mac, root or not, you're able to deal a good amount of pain already, that's true. When a miscreant gets code execution on your machine, you're not going to have a good time.
However, SIP is supposed to limit the damage and prevent malware from burying deep into the operating system so that it cannot be easily detected and removed. A rootless Unix – honestly, Cupertino, nice try, but this isn't the magic bullet against malicious code some may think it is. ®