Patrick Wardle, the popular white hat hacker, has discovered a zero-day vulnerability that could allow attackers to carry out synthetic mouse-click attacks
Patrick Wardle, the popular white hat hacker and chief research officer at Digita Security, has discovered a zero-day vulnerability that could allow attackers to mimic mouse-clicks for kernel access.
Wardle presented his discovery during the Def Con 2018 conference in Las Vegas, he explained that by using two lines of code he found an Apple zero-day in the High Sierra operating system that could allow a local attacker to virtually âclickâ a security prompt and thus load a kernel extension.
Once obtained the Kernel access on a Mac, the attack can fully compromise the system.
Apple has already in place security measures to prevent attackers from mimicking mouse-clicks for approving security prompts presented to the user when attempting to perform tasks that can potentially expose to risks the system.
Patrick Wardle has discovered a flaw that allows attackers to bypass such kind of security measures through Synthetic Mouse-Click attacks.
Good morning @Defcon attendees âď¸
My talk, "? > âď¸" is today:
"The Mouse is Mightier than the Sword"
Sunday 10:00, 101 Track, FlamingoIncludes new bypasses of privacy controls & 0day breaking 'User Assisted Kext Loading' ???
See you there ? https://t.co/9iDWuPniwI
— patrick wardle (@patrickwardle) August 12, 2018
Wardle recently demonstrated that a local, privileged attacker could leverage vulnerabilities in third-party kernel extensions to bypass Appleâs kernel code-signing requirements.
Malware developers and hackers have started using synthetic mouse-click attacks to bypass this security mechanism and emulate human behavior in approving security warnings.
Apple mitigated the attack devised by Wardle by implementing a new security feature dubbed âUser Assisted Kernel Extension Loading,â a measure that force users to manually approve the loading of any kernel extension by clicking the âallowâ button in the security settings UI.
The latest macOS versions, including High Sierra introduced a filtering mechanism to ignore synthetic events.
âBefore an attacker can load a (signed) kernel extension, the user has to click an âallowâ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed itâs game over,â Wardle explained.
Wardle discovered that is it possible to deceive macOS by using two consecutive synthetic mouse âdownâ events because the operating system wrongly interprets them as a manual approval.
âFor some unknown reason the two synthetic mouse âdownâ events confuse the system and the OS sees it as a legitimate click,â Wardle said. âThis fully breaks a foundational security mechanism of High Sierra.â
The expert explained that the operating system confuses a sequence of two-down as mouse âdownâ and âup.â The OS also confuse the âupâ event as an internal event and for this reason, it is not filtered and it can be abused to interact with High Sierraâs user interface allowing to load kernel extensions.
Wardle accident discovered the issue by copying and pasting code for a synthetic mouse down twice.
âI was just kind of goofing around with this feature. I copied and pasted the code for a synthetic mouse down twice accidentally â forgetting to change a value of a flag that would indicate a mouse âupâ event. Without realizing my âmistake,â I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!â
âTwo lines of code completely break this security mechanism,â he added. âIt is truly mind-boggling that such a trivial attack is successful. Iâm almost embarrassed to talk about the bug as itâs so simple â though Iâm actually more embarrassed for Apple.â
According to Wardle, the issue only affects High Sierra, because it is the using OS version that implements the Appleâs User Assisted Kernel Extension Loading.
The Wardle’s presentation is available at the following URL:
(Security Affairs â Synthetic Mouse-Click Attacks, macOS)