System Integrity Protection (sometimes called “rootless”) is a security feature introduced in OS X El Capitan as a way to protect critical system components from all accounts, including the root user. Since its introduction, a number of vulnerabilities have led to the bypassing of this technology either by leveraging exploits targeting macOS itself, or a third party driver.
As presented in our previous post exploring AV self-protection, the ability for an attacker to hide or protect software by leveraging protection features has become extremely interesting to me. With this in mind, I wanted to look at just how SIP bypasses were performed, and see if we could find a way to achieve this through a vulnerability in a signed driver. As we will be focusing on a legitimate kernel driver, the vulnerability can be transferred and loaded on any macOS system for use during your engagement by simply downloading the kext.
What this post will not cover is the ability to bypass Secure Kernel Extension Loading (SKEL). If you are interested in bypassing this, check out the recent presentation from Patrick Wardle.
As SIP is enforced by the macOS Kernel (XNU), we will be setting up LLDB to explore some of the interesting areas which occur within Ring-0. If you need a walkthrough of just how to do this, it is recommended that you check out our previous post here where we show how to set up a virtual debugging environment using VMWare’s Fusion hypervisor.
With the debugger set up, let’s first take a look at finding a vulnerable driver… enter VirtualBox.
Read the full post over on MDSec’s blog here.