Bypassing Apple’s Protection Features, Zero-Day Exploit Puts All OS X Versions at Risk

Rafia Shaikh

Researchers have discovered a security vulnerability in System Integrity Protection (SIP), Apple's latest security feature in OS X, that allows for local privilege escalation.

os x sip exploit

OS X SIP vulnerability puts all the versions of the OS at risk

Security researchers have discovered a critical zero-day vulnerability in all versions of the Apple's OS X operating system. The vulnerability allows hackers to bypass Apple's SIP protection feature and steal sensitive data from targeted devices.

SIP is designed to prevent malicious software from modifying protected files and folders on your Mac. SIP is an important security feature of OS X that was released with OS X El Capitan. The purpose of SIP is to protect the system from anyone with root access, limiting the actions of even an authorized root user in protected parts of the system, to reduce the chances of malicious code hijacking.

Now, security researchers have discovered a non-memory corruption bug that allows for local privilege escalation, bypassing this protection.

This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.

How does the OS X SIP vulnerability work

To exploit this vulnerability in System Integrity Protection, the hacker must compromise the target system first by using phishing or any other technique. This makes the vulnerability only work in a multi-part attack. The zero-day SIP vulnerability (CVE-2016-1757) is a non-memory corruption bug allowing hackers to execute arbitrary code on any targeted machine. The attack then escalates the malware's privileges to bypass SIP and alter system files to stay on the infected system.

Researchers have said that this vulnerability could be used in highly targeted and state-sponsored attacks.

The exploit is a local privilege escalation type of exploit, meaning that you need an initial vector to run the exploit. This could be a phishing attack with some malware attachment, something like a fake Flash update, or remote code execution via a browser or any other application. So it's definitely part of a multi-stage attack, which has the advantage of taking care of privilege escalation and SIP bypass in a single exploit.

While the vulnerability is easy to exploit, it's super difficult to detect. Even when a user does manage to detect the infection, it will be impossible for them to fix it, since SIP would prevent the user from altering the malware in system files.

The SIP vulnerability exists in every version of OS X. Security researchers at SentinelOne responsible for the discovery reported the flaw to Apple, which included the patch in the latest OS X El Capitan 10.11.4. According to researchers, "other versions do not appear to have a patch for this specific bug from Apple's Security Bulletin, meaning they are left vulnerable to this specific bug.”

Share this story