Our Research Director, Balazs Bucsay made an exhaustive research on the topic of chroot bypass techniques early last year. The chroot system call is used to create restricted environments for specific processes. This research was presented on several international IT-Security conferences for example:
- PHDays V @ Moscow, Russia
- Hacktivity @ Budapest, Hungary
- DeepSec @ Vienna, Austria
The evasion technique that he found affected almost all UNIX based operating systems including Mac OS X and iOS as well. These operating systems are running on iPhones, iPads, Macs and Macbooks so basically all Apple products were affected. The technique is called by move-out-of-chroot, which makes it possible for a sandboxed user to escape the restricted environment by moving out the current working directory under the root of the environment. The vulnerability was reported to Apple early 2015 and it took more than one and a half year but finally they released a patch for all affected operating systems where they fix it among other bugs.
Here you can find the release notes of the security patches (CVE-2016-4771):
- macOS Sierra 10.12: https://support.apple.com/en-us/HT207170
- iOS 10: https://support.apple.com/en-us/HT207143
If you would like to know more about the evasion techniques and the vulnerability, you can find more information here:
- Presentation: Chw00t: Breaking unices’ chroot solutions
- Tool and how-to: https://github.com/earthquake/chw00t