Shrootless: macOS Vulnerability Found by Microsoft Allows Rootkit Installation


Tracked as CVE-2021-30892 and named “Shrootless” by Microsoft, the vulnerability exists in the method used to install Apple-signed packages with post-install scripts.

To successfully exploit the vulnerability, an attacker needs to create a specially crafted file that would allow them to hijack the installation process of said packages.

Apple introduced SIP in macOS Yosemite to restrict root users from performing actions leading to system integrity compromise, but the newly addressed security error could allow an attacker to install a malicious kernel driver (rootkit), deploy persistent malware, or overwrite system files.