Details for an unpatched vulnerability have been made available in macOS 10.14.5 (Mojave) and below to allow a hacker without a user interaction to execute arbitral code.
By leveraging the flaw Gatekeeper, the integrated defense in macOS that protects the operating system from the running of untrusted applications, can be overcome. This is achieved by Gatekeeper verifying the certificate of code signing obtained from Apple’s development program.
Abuse of legitimate features According to Filippo Cavallarin’s data from the Italian Segment cyber security company, gatekeeper can combine external drives and networks as safe locations with other legitime features on macOS to operate unreliant applications without warning the user.
Using the automount functionality of the Apple OS and support for symbolic links, arbitrary code can be executed without a gatekeeper reaction. In macOS, a user can mount network shares automatically by using the’ autofs’ command.
Symbolic links are files which create a reference, including a network share, to other files or folders stored in a different location. When they are in the archives, they are not checked so users can trick them and access content that is stored in a remote place.
The method of Cavallarin is simple. He modified the Calculator app files in his proof of concept to include a bash script that starts a different executable, iTunes in this case, and also changed the calculator app’s icon. In a video demo, he showed that a reverse shell can be obtained on the target computer.
The bypass technique of the Gatekeeper is present in the adverse tactics and techniques catalog of MITRE:
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple’s Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.
Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check.
The investigator published the full details of the attack and a video showing the validity of his findings:
To better understand how this exploit works, let’s consider the following scenario:
- An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
- The victim downloads the malicious archive, extracts it and follows the symlink
The victim uses code from a location controlled by the attacker and implicitly trusted by the Gatekeeper. Running an application this way will not trigger the macOS security mechanism.
The attack is valid and has been replicated by the security professional and co-founder of Security Espresso, Sabina Alexandra at the crossroads of programming and security. The same technique allowed her to add a script that launched iTunes to the Calculator app. Your test system used macOS Mojave 10.14.5.
Cavallarin says users would have difficulty spotting the attack since Finder is meant to hide application extensions and the full path from the title bar. However, the hacker needs access to the network before this attack can be stopped, which may not be undetected.
A potential solution to this issue is to deactivate automatic network share mounting by following the following steps:
- Edit /etc/auto_master as root
- Comment the line beginning with ‘/net’
Cavallarin claims that on February 22 he informed Apple about the issue and it should have been fixed in May with security updates. “Since Apple is aware of my 90 days’ notice date, I have released this information,” the researcher says. The researcher says that the question remains there, “Apple started dropping my e-mails.”
Apple released a patch in macOS security updates for one problem in this month, tracked as CVE-2019-8589, enabling a malicious application to circumvent Gatekeeper. The fix is however available for macOS Mojave 10.14.4 and is a different bug than that reported by Cavallarin.