From 01df2876d3460525e1fd33a390d8786615ad6070 Mon Sep 17 00:00:00 2001 From: CPol Date: Fri, 9 Jun 2023 15:35:48 +0000 Subject: [PATCH] GITBOOK-3972: change request with no subject merged in GitBook --- .../macos-security-protections/macos-sip.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md index 07d53db4..4e0d8d39 100644 --- a/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md +++ b/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.md @@ -78,6 +78,15 @@ SIP also imposes several other restrictions. For instance, it disallows the **lo ## SIP Bypasses +### Prices + +If an attacker manages to bypass SIP this is what he will earn: + +* Read mail, messages, Safari history... of all users +* Grant permissions for webcam, microphone or anything (by directly writing over the SIP protected TCC database) +* Persistence: He could save a malware in a SIP protected location and not even toot will be able to delete it. Also he could tamper with MRT. +* Easiness to load kernel extensions (still other hardcore protections in place for this). + ### Installer Packages **Installer packages signed with Apple's certificate** can bypass its protections. This means that even packages signed by standard developers will be blocked if they attempt to modify SIP-protected directories.