1. InfoconDB
  2. DEF CON
  3. DEF CON 31 (2023)
  4. Getting a Migraine - uncovering a unique SIP bypass on macOS

Getting a Migraine - uncovering a unique SIP bypass on macOS

Presented at DEF CON 31 (2023), Aug. 11, 2023, 2:30 p.m. (45 minutes)

System Integrity Protection (SIP) is a macOS technology that limits the capabilities of the root user, most notably - it maintains the integrity of the operating system by preventing loading of untrusted kernel extensions and protecting sensitive filesystem locations. In this talk we will uncover a method to bypass SIP and create undeletable malware that can later load arbitrary kernel extensions. We will explain our methodology, detail our exploitation strategy and the reverse engineering involved. Lastly, we will explain how to look for similar SIP bypasses and outline a generic detection strategy for Blue Teams. REFERENCES: https://objective-see.com/blog/blog_0x14.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9771 https://www.theregister.com/2016/03/30/apple_os_x_rootless/ https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/ https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/

Presenters:

  • Anurag Bohra - Security Researcher at Microsoft
    Anurag Bohra is a Security Researcher 2 at Microsoft focusing on macOS security. His interests includes Reverse Engineering, Malware Analysis, Vulnerability Research, hardware security and also loves building tools on the same.
  • Michael Pearse - Security Researcher at Microsoft
    Micheal Pearse started out as an embedded developer for anti-ICBM missiles. Micheal got into reversing by trying to understand how counterstrike works and the underlying mechanics of C++. In his vulnerability research journey, Michael started with home routers, worked my way up to industrial devices, and eventually found and exploited local priv escalations for Windows.
  • Jonathan Bar Or - Security Researcher at Microsoft
    Jonathan Bar Or ("JBO") is a Principal Security Researcher at Microsoft, working as the Microsoft Defender research architect for cross-platform. Jonathan has rich experience in vulnerability research, exploitation, cryptanalysis, and offensive security in general.

Links:

Similar Presentations: