Microsoft’s Threat Intelligence unit has released a report detailing a newly discovered vulnerability named “migraine” which could allow a threat actor with root access the ability to automatically bypass System Integrity Protection (SIP) and conduct arbitrary activities on a device.
Once the relevant reports into this vulnerability are available, the vulnerability will be tracked as CVE-2023-32369. The issues has already been fixed by Apple in the security update released on May the 18th.
Why migraine?
The choice of the name “migraine” stems from the MacOS process where the vulnerability lies – systemmigrationd. This is one of a number of processes invoked when using the MacOS migration assistant utility to move data from one Mac to another.
How does it work?
The vulnerability lies within the processes used by System Integrity Protection (SIP) which is a security technology in MacOS that restricts a root user from performing operations that may compromise system integrity.
Introduced by Apple with the MacOS Yosamite back in 2014, SIP locks down the OS from root by leveraging the Apple sandbox to protect the entire platform.
As most will know, a root account has utmost power on a *NIX-based system and so could potentially compromise the entire system either willfully or otherwise. SIP is a feature that aims to prevent rogue root users from conducting potentially catastrophic damage.
One SIPs features is the filesystem restriction capability. This protects files and directories (especially those relating to system integrity)from being overridden. The files and directories that are protected by SIP by default are commonly ones that are related to the system’s integrity.
Within the MacOS, Apple uses a series of entitlements to enforce security. Some very specific processes are granted entitlements that allow them to bypass System Integrity Protection checks by design.
One such entitlement is the com.apple.rootless.install.heritable entitlement that allows the process and the entire process tree rooted under it to bypass filesystem-based SIP security settings.
Discovery of the issue
Microsoft’s threat intelligence unit discovered an executable binary file called drop_sip on a test machine and found that it was a signed binary from Apple which was part of the SystemMigrationUtils.framework.
As part of their investigations, the researchers discovered that the drop_sip binary itself cannot bypass SIP regulations, but rather it inherits them from its parent process systemmigrationd which can bypass SIP.
After discovering the process which can bypass SIP, the team of researchers looked for other child processes of systemmigrationd and identified a number of such processes.
Two interesting files were identified as part of this research, one was bash and one was a perl binary.
The researchers quickly found that it was possible to run arbitary code via a perl script which bypassed the SIP protections.
Exploitation capabilities
Triggering migration normally requires using the Migration Assistant utility, which involves a complete sign-out from the system and as such, a threat actor must have physical access to the target system.
The Microsoft researchers wanted to demonstrate that the exploit could be triggered remotely and so researched deeper into the migration flow process and the interplay between the Migration Assistant and systemmigrationd.
Eventually, the team managed to identify a condition whereby the Migration Assistant could be executed without system sign-out and allow the system to be affected.
The researchers built an automated script using AppleScript to automate the whole process of compromising their test device.
Exploitation possibilities
In their report, the Microsoft team point out that a threat actor with SIP bypassing capabilities could conduct any number of activities, including:
- Create undeletable malware
- Expand the attack surface of kernel attack techniques
- Tamper with system integrity and implant rootkits
- Full security bypass
The Microsoft team reported all findings to Apple, which, as mentioned earlier, fixed the issue in a security update last month.