Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet

Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet . Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version […]

The code to bypass Apple System Integrity Protection security mechanism fits in a Tweet

Apple failed in fixing the System Integrity Protection security mechanism and the exploits code released by a researcher fits in a Tweet .

Last week security media reported a critical privilege escalation flaw (CVE-2016-1757) in the Apple System Integrity Protection (SIP) security mechanism, a vulnerability that was present at the time of the discovery in all the version of the OS X operating system.

This week, Apple issued a security update of OS X El Capitan 10.11.4 and iOS 9.3 to solve the problem, but according to the experts is was ineffective in fixing the privilege escalation vulnerability.

The flaw was discovered by the security researcher Pedro Vilaça from SentinelOne and exposes more than 130 Million Apple customers at risk of hack. The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

System Integrity Protection SIP bypass OS X El Capitan

According to the experts at SentinelOne the flaw allows circumventing the SIP technology bypassing the key security feature without kernel exploits. Now Apple issued a security patch for both OS X El Capitan 10.11.4 and iOS 9.3, but it seems that the update is ineffective, causing the users’ disappointment.

The critical privilege escalation vulnerability in the System Integrity Protection still affects the most recent version of OS for both Macs and iThings.

The popular researcher Stefan Esser, has published a new exploit code to bypass latest patched version of the System Integrity Protection application, and the interesting part is the dimension of the code that fits in a Tweet.

You’ve heard it right, according to the Esser this isn’t the unique flaw affecting the SIP, and most of them are still unfixed.

Stefan Esser of German security biz SektionEins also gave a talk at this year’s SyScan360 during which he highlighted a bunch of SIP-related vulnerabilities. Esser told The Register “everything in my slides is unfixed” by Apple in the latest version of OS X 10.11 except for two flaws: the kas_info syscall and a malicious mount.” reported El Reg.

“The evil mount worked by mounting a file system over /System and replacing supposedly SIP-protected core OS utilities with attacker-controlled ones (yes, that really worked). It was fixed in OS X 10.11.2. “

ln -s /S*/*/E*/A*Li*/*/I* /dev/diskX;fsck_cs /dev/diskX 1>&-;touch /Li*/Ex*/;reboot

The above code expands to:

ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX
fsck_cs /dev/diskX 1>&-
touch /Library/Extensions/
Reboot

Let’s hope Apple would fix all the open SIP issues as soon as possible.

Pierluigi Paganini

Security Affairs –  (System Integrity Protection, SIP, hacking)