`, the `~/.zshenv` file would be triggered, effectively elevating to root.
In [**CVE-2022-22583**](https://perception-point.io/blog/technical-analysis-cve-2022-22583/) it was discovered that the same **`system_installd`** process could still be abused because it was putting the **post-install script inside a random named folder protected by SIP inside `/tmp`**. The thing is that **`/tmp` itself isn't protected by SIP**, so it was possible to **mount** a **virtual image on it**, then the **installer** would put in there the **post-install script**, **unmount** the virtual image, **recreate** all the **folders** and **add** the **post installation** script with the **payload** to execute.
### **com.apple.rootless.install**
{% hint style="danger" %}
The entitlement **`com.apple.rootless.install`** allows to bypass SIP
{% endhint %}
From [**CVE-2022-26712**](https://jhftss.github.io/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable/) The system XPC service `/System/Library/PrivateFrameworks/ShoveService.framework/Versions/A/XPCServices/SystemShoveService.xpc` has the entitlement **`com.apple.rootless.install`**, which grants the process permission to bypass SIP restrictions. It also **exposes a method to move files without any security check.**
## Sealed System Snapshots
Sealed System Snapshots are a feature introduced by Apple in **macOS Big Sur (macOS 11)** as a part of its **System Integrity Protection (SIP)** mechanism to provide an additional layer of security and system stability. They are essentially read-only versions of the system volume.
Here's a more detailed look:
1. **Immutable System**: Sealed System Snapshots make the macOS system volume "immutable", meaning that it cannot be modified. This prevents any unauthorized or accidental changes to the system that could compromise security or system stability.
2. **System Software Updates**: When you install macOS updates or upgrades, macOS creates a new system snapshot. The macOS startup volume then uses **APFS (Apple File System)** to switch to this new snapshot. The entire process of applying updates becomes safer and more reliable as the system can always revert to the previous snapshot if something goes wrong during the update.
3. **Data Separation**: In conjunction with the concept of Data and System volume separation introduced in macOS Catalina, the Sealed System Snapshot feature makes sure that all your data and settings are stored on a separate "**Data**" volume. This separation makes your data independent from the system, which simplifies the process of system updates and enhances system security.
Remember that these snapshots are automatically managed by macOS and don't take up additional space on your disk, thanks to the space sharing capabilities of APFS. Itβs also important to note that these snapshots are different from **Time Machine snapshots**, which are user-accessible backups of the entire system.
### Check Snapshots
The command **`diskutil apfs list`** lists the **details of the APFS volumes** and their layout:
+-- Container disk3 966B902E-EDBA-4775-B743-CF97A0556A13
| ====================================================
| APFS Container Reference: disk3
| Size (Capacity Ceiling): 494384795648 B (494.4 GB)
| Capacity In Use By Volumes: 219214536704 B (219.2 GB) (44.3% used)
| Capacity Not Allocated: 275170258944 B (275.2 GB) (55.7% free)
| |
| +-< Physical Store disk0s2 86D4B7EC-6FA5-4042-93A7-D3766A222EBE
| | -----------------------------------------------------------
| | APFS Physical Store Disk: disk0s2
| | Size: 494384795648 B (494.4 GB)
| |
| +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk3s1 (System)
| | Name: Macintosh HD (Case-insensitive)
| | Mount Point: /System/Volumes/Update/mnt1
| | Capacity Consumed: 12819210240 B (12.8 GB)
| | Sealed: Broken
| | FileVault: Yes (Unlocked)
| | Encrypted: No
| | |
| | Snapshot: FAA23E0C-791C-43FF-B0E7-0E1C0810AC61
| | Snapshot Disk: disk3s1s1
| | Snapshot Mount Point: /
| | Snapshot Sealed: Yes
[...]
In the previous output it's possible to see that **macOS System volume snapshot is sealed** (cryptographically signed by the OS). SO, if SIP is bypassed and modifies it, the **OS won't boot anymore**.
It's also possible to verify that seal is enabled by running:
```
csrutil authenticated-root status
Authenticated Root status: enabled
```
Moreover, it's mounted as **read-only**:
```
mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
```
βοΈ HackTricks Cloud βοΈ -π¦ Twitter π¦ - ποΈ Twitch ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).