PossibleThreat Articles

Articles for the experts…

Microsoft Security 

Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions

0 Comments

Credit to Author: Microsoft Threat Intelligence| Date: Mon, 13 Jan 2025 17:00:00 +0000

Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple’s System Integrity Protection (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.

We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2024-44243, was included in the security updates released by Apple on December 11, 2024. The findings were discovered in parallel between Microsoft and Mickey Jin, who also responsibly reported the vulnerability to Apple. Users should ensure their systems are up to date. We thank the Apple security team for their collaboration and efforts in fixing this issue.

In many cases, special entitlements are leveraged to bypass security mechanisms like SIP, making it essential to monitor specially entitled processes for anomalous behavior. This need for proactive monitoring is only further emphasized when a specially entitled process invokes kernel extensions from third party organizations without proper validation or reduced privileges, which an attacker could exploit to install a kernel driver (rootkit) in a way that could evade detection by security solutions. Following our previous SIP bypass blog posts (Shrootless, Migraine), our team set up mechanisms to proactively alert on potentially attacker-controlled child processes of special entitled processes, which enabled Microsoft Defender and our researcher team to ultimately identify CVE-2024-44243.

In this blog post, we detail the connection between entitlements and SIP and explain how CVE-2024-44243 could be used to bypass SIP security measures. This research also highlights some of the benefits and challenges of kernel-based monitoring. Prohibiting third party code to run in the kernel can increase macOS reliability, the tradeoff being that it reduces monitoring capabilities for security solutions. If SIP is bypassed, the entire operating system can no longer be considered reliable, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to evade detection. As such, this research is being presented to the broader security community to underline the critical role of responsible disclosure and collaborative efforts in securing devices across platforms.

Understanding SIP and entitled processes

As previously covered in our previous SIP bypass blogposts (Shrootless, Migraine), SIP (also known as “rootless”) is a macOS mechanism that enforces several operating system protections against the root user, including the ability to:

  • Load arbitrary kernel drivers
  • Change non-volatile random-access memory (NVARM) variables
  • Get task ports for Apple-signed processes
  • Allow kernel debugging
  • Modify sensitive files that are a part of the operating system

One interesting fact about SIP is that bypassing just one of those restrictions is likely to lead to bypasses of all other SIP restrictions – for example:

  • SIP policy is controlled by NVRAM variables, so modifying NVRAM variables bypasses SIP.
  • Kernel code execution (either through kernel extensions or debugging) can change SIP since it is enforced at the kernel level.
  • Modifying sensitive files on the file system can bypass SIP, for instance, by modifying the list of allowed kernel extensions and then loading that kernel extension.

SIP bypasses have traditionally focused on special binaries with specific entitlements. As a reminder, entitlements are special capabilities a process might have and are a part of the digital signature of the process. Therefore, entitlements cannot be easily forged by attackers. In addition to the well-documented entitlements available for software developers, certain entitlements are reserved only for processes that have specific operating system functions, such as system updates, debugging capabilities, memory tracing, and security extensions. We refer to them as private entitlements, as their name would commonly start with a com.apple.private prefix. There are many of those special entitlements, most are not documented by Apple at all.

Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms. For example:

EntitlementDescription
com.apple.rootless.installProcesses entitled with the com.apple.rootless.install entitlement can bypass SIP file system checks. Several examples that abuse that entitlement have been reported, including:
– Reported by Stefan Esser and presented at SyScan360, this vulnerability misused the fact that fsck_cs follows symbolic links and could therefore write to arbitrary file paths.
– CVE-2022-26712 – reported by Mickey Jin. The vulnerability abuses the SystemShoveService.xpc XPC service, which is entitled with the com.apple.rootless.install entitlement.

Note that this is not a complete list of vulnerabilities associated with that entitlement.

com.apple.rootless.install.heritableProcesses entitled with the com.apple.rootless.install.heritable inherit the com.apple.rootless.install entitlement to all their child processes. Notable examples include:
– CVE-2019-8561 – discovered by Trend Micro. The vulnerability leverages a Time-of-check-time-of-use (TOCTOU) issue in the system_installd binary.
– CVE-2020–9854 – reported by Ilias Morad, which exploited a specific installer script that was spawned by system_installd and allowed an arbitrary process execution from a command-line argument.
– CVE-2021-30892 – reported by Microsoft Defender, known as “Shrootless”. The vulnerability abuses Apple-signed package that includes shell script components and abuses the system_installd binary.
– CVE-2022-22583 – reported by Perception Point. This vulnerability is a variant on our previously reported Shrootless vulnerability and takes advantage of a the /tmp symbolic link used by system_installd.
– CVE-2023-32369 – reported by Microsoft Defender, known as “Migraine”. The exploit abuses the system migration daemon (migrationd ).

Note that this is not a complete list of vulnerabilities associated with that entitlement.

There are other entitlements that could be used for other types of vulnerabilities, such as the com.apple.private.tcc.allow entitlement, which could be used for TCC bypasses, which we also monitor. However, in this blog post we will focus on SIP-related entitlements only.

Due to the sensitive nature of the com.apple.rootless.install.heritable entitlement, it is evident that monitoring anomalous child processes of processes entitled with com.apple.rootless.install.heritable is important for security research.

Discovery of SIP bypasses through custom file systems

One of the processes entitled with the previously described com.apple.rootless.install.heritable entitlement is storagekitd, which is a daemon that handles disk state-keeping by the Storage Kit private framework.

Screenshot of code depicting storagekitd and its SIP-related entitlements
Figure 1. storagekitd and its SIP-related entitlements

As shown, storagekitd has many SIP bypassing capabilities, including the com.apple.rootless.install.heritable, which means all its child processes are of great interest.

Using advanced hunting query language, we can look for all child processes of the storagekitd daemon:

 DeviceProcessEvents | where InitiatingProcessFileName == "storagekitd"     and FolderPath !startswith "/System"     and FolderPath !startswith "/sbin"     and FolderPath !startswith "/bin"     and FolderPath !startswith "/usr" | summarize by ProcessCommandLine

Interestingly, we found several processes, which we immediately investigated:

Example pathExplanation
/Library/Filesystems/iboysoft_NTFS.fs/Contents/Resources/newfs_ms_ntfsCustom NTFS implementation from iBoysoft.
/Library/Filesystems/tuxera_ntfs.fs/Contents/Resources/newfs_tuxera_ntfsCustom NTFS implementation from Tuxera.
/Library/Filesystems/ufsd_ExtFS.fs/Contents/Resources/fsck_ufsd_ExtFSCustom EXT file system implementation from Paragon.
/Library/Filesystems/ufsd_NTFS.fs/Contents/Resources/fsck_ufsd_NTFSCustom NTFS implementation from Paragon.
/Library/Filesystems/easeus_NTFS.fs/Contents/Resources/newfs_easeus_NTFSCustom NTFS implementation from EaseUS.

We therefore attempted to install those solutions. By overriding the binaries under the relevant bundle under /Library/Filesystems and triggering them with the Disk Utility app, we proved that we were able to bypass SIP protections, overriding the Apple kernel extensions exclusion list. Moreover, we have successfully been able to automate our process with the diskutil utility, which, similarly to the Disk Utility app, uses the Storage Kit private framework:

Screenshot of code depicting storagekitd leading to SIP being bypassed
Figure 2. SIP bypass done by triggering storagekitd

It’s important to note everything described in this blog post is a macOS vulnerability due to storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges, rather than a vulnerability in each of those products.

Experimenting with custom file systems

Mounting filesystems on macOS involves the Disk Arbitration daemon (diskarbitrationd), which supports filesystems that are implemented in the kernel (APFS, HFS+) and those that are implemented in userspace. Filesystems implemented in userspace are known as User Filesystems (UserFS). macOS comes pre-shipped with several such filesystem implementations, each appears as a file system bundle (*.fs) under /System/Library/Filesystems and /Library/Filesystems.

Screenshot of code depicting custom filesystem bundles
Figure 3. Custom filesystem bundles

While the structure of file system bundles is not-well documented, the diskarbitrationd is fully open-source, which shows what properties are expected from such a bundle. The structure is as follows:

  • A dictionary of FSMediaTypes exists, in which the key is the file system formal name (or a designated GUID), and the value contains various content hints.
  • More importantly, the bundle information clearly specifies the binary file names and command line-arguments that will be used for specific operations, such as mounting, repairing, and probing.

As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn. However, we noticed certain operations (such as “disk repair”) are directly invoked under storagekitd. Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.

Screenshot of code depicting the new file system registration, including the name and executables to be run
Figure 4. New file system registration that includes the name and the executables to be run
Screenshot depicting the Disk Utility recognizing the registered file system
Figure 5. Registered file system recognized by the Disk Utility

Triggering the erase operation on the newly created file system can bypass SIP protections as well.

Detecting the vulnerability with Microsoft Defender for Endpoint monitoring

System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems. Bypassing SIP impacts the entire operating system’s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes. The challenge of detecting such threats is compounded by the inherent limitations in kernel-level visibility on macOS, making it difficult for traditional security measures to spot and mitigate these sophisticated attacks.

As our research demonstrates, an attacker with the ability to run as root could have exploited CVE-2024-44243 by loading third party kernel extensions to bypass SIP. To address these challenges, Microsoft Defender Vulnerability Management quickly identifies and resolves CVE-2024-44243 and similar vulnerabilities while Microsoft Defender for Endpoint offers robust monitoring capabilities designed to detect and alert on anomalous behavior associated with specially entitled processes on macOS. Proactive monitoring for such anomalies is crucial to enable defenders to stay ahead of emerging threats and mitigate potential risks effectively. By leveraging these advanced detection mechanisms, organizations can gain greater visibility into activities that may indicate an attempt to exploit vulnerabilities that bypass SIP and other protection technologies across platforms.

Screenshot of code depicting a SIP bypass alert in Microsoft Defender for Endpoint
Figure 6. Microsoft Defender for Endpoint Potential System Integrity Protection bypass alert

This research underscores the importance of shared knowledge and collaborative efforts within the security community. We’d like to again thank Apple for their work in addressing this vulnerability, and Mickey Jin for responsibly disclosing the vulnerability in parallel with Microsoft. We believe that disseminating this information will not only foster responsible disclosure but also encourage collective action to fortify defenses against developing threats. By working together and leveraging the insights gained from these findings, we can better protect our systems and respond effectively to evolving security challenges.

Jonathan Bar Or

Microsoft Defender Research Team

References

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn at https://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter) at https://x.com/MsftSecIntel.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.

The post Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions appeared first on Microsoft Security Blog.

https://blogs.technet.microsoft.com/mmpc/feed/

Leave a Reply