OS X zero day bug allows hackers to bypass system integrity protection

An OS X zero day vulnerability could allow attackers to bypass System Integrity Protection, Apple’s newest protection feature, and to escalate their privileges, simplifying the path to total system compromise in both OS X and iOS systems.

According to researcher Pedro Vilaça, who discovered the flaw in late 2015, roughly at the same time as researcher Ian Beer of Google Project Zero, the vulnerability (CVE-2016-1757) is a non-memory corruption bug that exists in all versions of OS X and iOS and allows users to execute arbitrary code on any binary.

Apple has been notified of it, and has included a patch for the hole in the latest security update for OS X El Capitan (10.11.4) and in iOS 9.3.

“SIP is a new feature, which is designed to prevent potentially malicious software from modifying protected files and folders: essentially to protect the system from anyone who has root access, authorized or not,” Vilaça, a researcher with Sentinel One, explained.

“The exploit is extremely reliable (100%) and it could be part of a bug chain that exploits a browser like Safari or Chrome,” he noted. “Initially, the exploit could be used to achieve code execution and sandbox escapes. Then to escalate privileges to root and/or bypass System Integrity Protection to achieve persistency. Also, a fake Flash update regularly used to distribute malware could be leveraged to further compromise systems.”

To exploit the flaw, an attacker must first compromise the target system – via a spearphishing attack, by exploiting the user’s browser, and so on. But once that’s accomplished, the exploit for the bug can be safely deployed and is sure not to crash machines or processes.

“This kind of exploit could typically be used in highly targeted or state sponsored attacks,” Vilaça pointed out.

He says that there is no indication that this flaw has been exploited by attackers in the past, but that it’s possible. “Since the bug is present on all OS X versions there is always a possibility that someone else found it before I did,” he told Help Net Security.

He created a fully working PoC exploit for the bug, but hasn’t yet decided whether he will release it as only El Capitan appears to have a patch. “But someone else might release it,” he added.

Vilaça has presented his findings on Thursday at the SysCan360 2016 in Singapore, and Ian Beer has shared more details about it a recent blog post.

“This vulnerability not only reveals a major security flaw in OS X, but also provides further evidence that exploits can be extremely stealthy, and at times, virtually impossible to detect,” Vilaça pointed out. “The nature of this particular exploit enables it to evade defenses by utilizing very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss.”