Windows 10 News and info | Forum
July 10, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: macOS Unpatched for Executing Untrusted Code off the Network  (Read 1275 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 31573

I Do Windows

WWW Email
« on: May 25, 2019, 05:43:58 PM »

Details have been released for an unpatched vulnerability in macOS 10.14.5 (Mojave) and below that allows a hacker to execute arbitrary code without user interaction.

By leveraging the flaw it is possible to bypass Gatekeeper, the built-in defense in macOS that guards the operating system against running untrusted applications. Gatekeeper achieves this by verifying the code signing certificate obtained through Apple’s developer program.

Abusing legitimate features

According to details from Filippo Cavallarin of cyber security company Segment in Italy, Gatekeeper treating external drives and networks as safe locations can be combined with other legitimate features on macOS to execute untrusted apps without warning the user.

Using the automount functionality in Apple's OS and the support for symbolic links, it is possible to run arbitrary code without triggering a reaction from Gatekeeper. On macOS, a user can automatically mount network shares using the ‘autofs’ command.

Symbolic links are files that create a reference to other files or folders stored in a different location, including a network share. They are not verified when present in archives, so users can be tricked to click them and access content stored in a remote location.

Cavallarin's method is simple. In his proof-of-concept, he modified the files of the Calculator app to include a bash script that launches a different executable, in this case, iTunes; he also changed the Calculator app's icon. He shows in a video demo that this can be used to obtain a reverse shell on the target computer.

The Gatekeeper bypass technique is present in MITRE's catalog of adversary tactics and techniques:

In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check.

The researcher published the complete details for the attack and a video demonstrating the validity of his findings:

To better understand how this exploit works, let's consider the following scenario:

1. An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/ and sends it to the victim.

2. The victim downloads the malicious archive extracts it and follows the symlink

In this context, the victim accesses code from a location that is controlled by the attacker and trusted implicitly by Gatekeeper. Executing an app this way does not trigger the security mechanism in macOS.

The attack is valid and was replicated by Sabina Alexandra Ștefănescu, security professional and co-founder of Security Espresso, a community at the intersection of programming and security. Using the same technique, she was able to add to the Calculator app a script that launched iTunes. Her test system was running macOS Mojave 10.14.5.

Cavallarin says that because Finder is designed to hide app extensions and the full path from the title bar, users would have a hard time spotting the attack. However, a hacker would first need access to the network to pull off this attack, which may not go undetected.

A potential solution for this issue is to disable automatic mounting of network shares by following the steps below:

1. Edit /etc/auto_master as root

2. Comment the line beginning with '/net'

3. Reboot

Cavallarin claims he informed Apple of the issue on February 22 and that the company should have fixed it with the security updates in May. The researcher says that the issue is still there and that “Apple started dropping my emails.”

“Since Apple is aware of my 90 days disclosure deadline, I make this information public,” the researcher says.

The researcher told BleepingComputer that he had tested the attack on Mojave 10.14.5 a few hours before publishing the details on Friday.

In this month's security updates for macOS, Apple released a patch for an issue - tracked as CVE-2019-8589, that allowed a malicious application to bypass Gatekeeper. The fix is available for macOS Mojave 10.14.4, though, and is a different bug then what Cavallarin reported.

Update [05.25.2019, 08:47EDT]: BleepingComputer was not able to verify the validity of the attack and was not returned a request for comments from the researcher at the time of publishing the original version of the article. We later received confirmation and proof that the method described by Cavallarin works and the researcher provided extra information about the attack.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 04, 2020, 02:13:31 AM