top of page
Search

Apple macOS flaw that could bypass security enforcements and allow arbitrary actions



When it comes to securing our devices, we rely on certain features to keep our data safe. One of these features is System Integrity Protection (SIP), also known as "rootless." This feature limits the actions that can be taken by the root user on protected files and folders. Recently, Microsoft has shared details of a flaw in Apple macOS that could be exploited to bypass SIP and gain access to sensitive data. The flaw, dubbed Migraine and tracked as CVE-2023-32369, could be exploited by threat actors with root access to get around SIP and perform arbitrary actions on affected devices. This bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via an AppleScript that's designed to ultimately launch an arbitrary payload. Systemmigrationd, the daemon used to handle device transfer, comes with the com.apple.rootless.install.heritable entitlement, allowing all its child processes, including bash and perl, to bypass SIP checks. This means that an attacker could create files that are protected by SIP and therefore undeletable by ordinary means. Worse yet, the attacker could gain arbitrary kernel code execution and access sensitive data by replacing databases that manage Transparency, Consent, and Control (TCC) policies. Fortunately, the flaw has been patched and users are advised to update their devices to the latest version of macOS. In the meantime, we'll be keeping a close eye on this story and will provide updates as more information becomes available.

Comments


bottom of page