New MacOS Shrootless Bug (29th October 2021)

Ref# AL2021_38 | Date: Nov 2nd 2021

On Thursday, October 28, 2021, Microsoft revealed details of a new vulnerability within macOS that could allow a malicious actor to bypass System Integrity Protection (SIP) and get complete control of the computer, enabling them to perform arbitrary activities without being noticed by typical security measures.


The risk lies in how Apple-signed packages with post-install scripts are installed. An attacker could create a specially constructed file that would hijack the installation process. After bypassing SIPs restrictions, the malicious actor could then install a rootkit, overwrite system files, or install persistent, undetectable malware, among others. The bug has been dubbed Shrootless and is being tracked as CVE-2021-30892.

How it works

System Integrity Protection (SIP), also known as “rootless,” is a security feature introduced in OS X El Capitan that prevents a root user from running prohibited code or doing operations that could threaten system integrity.

SIP allows only Apple-signed processes or those with particularly unique entitlements to write to system files, such as Apple software updates and Apple installers, to reconfigure protected parts of the system such as /System, /usr, /bin, /sbin, and /var, while also automatically authorizing apps downloaded from the Mac App Store.

Microsoft”s study into the security technology focused on macOS programs that can bypass SIP protections, leading to the discovery of “system_installd,” a software installation daemon that allows any of its child processes to evade SIP filesystem limits.

When an Apple-signed package is installed, the system_installd is launched, and any post-install scripts are executed using the default shell, which on macOS is Z shell (zsh).

“Intriguingly, when zsh starts, it looks for the file /etc/zshenv, if it”s found, it performs commands from that file automatically, even in non-interactive mode,” Bar Or explained. “As a result, creating a malicious /etc/zshenv file and then

waiting for system_installd to call zsh would be a reliable avenue for attackers to do arbitrary activities on the device.”

A malicious application could use CVE-2021-30892 to modify protected parts of the file system, including the capability to install malicious kernel drivers (called rootkits), overwrite system files, or install pervasive, undiscovered malware.


It is recommended that users who have older versions of macOS Big Sur update their macOS to the latest version, which is version macOS Big Sur 11.6.1

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Installing Rootkits Across macOS Systems due to a New Shrootness Bug.pdf