The Microsoft 365 Defender Research Team recently discovered a new macOS vulnerability nicknamed “Shrootless” and tracked it as CVE-2021-30892, a vulnerability that can misuse privilege inheritance in macOS ‘System Integrity Protection (SIP) thereby giving room for the execution of arbitrary code with root privileges.

Reportedly, the vulnerability has already been patched in the three supported versions of macOS (Monterey 12.0.1, Catalina with Security Updates 2021-007, and Big Sur 11.6.1) although there are indications that older versions of OS X running SIP including OS X 10.11 and later may still be vulnerable.

When examining how Shrootless works, the first thing to understand is how SIP works. SIP as we have it adds kernel-level that prevent certain files on the disk and certain processes in memory from being changed, even with root privileges.

The bug then takes advantage of the fact that the kernel can modify protected locations as needed, even if root privileges are no longer sufficient to modify important system files.