tags:macossipauth_bypass original link: Breaking SIP with Apple-Signed Packages newsletter link: exploits.club Weekly Newsletter 21


Exploits Club Summary:

L3Harris dropped a post this week discussing their research into bypassing Apple’s System Integrity Protection (SIP). The core idea of the vulnerability class revolves around finding command injection vulnerabilities present in installation scripts of Apple-signed packages with valid certificates. If these packages have the com.apple.rootless.install.heritables entitlement, this allows them (and subsequently
attackers), to write to SIP protected locations. The post goes into some of the downsides of this bug class, before discussing the fixes implemented by Apple.