The Italian security researcher Filippo Cavallarin demonstrated how to bypass the
The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not
Filippo Cavallarin demonstrated how to bypass Gatekeeper and execute untrusted code without user explicit permission and any warning to the victims.
Gatekeeper considers both external drives and network shares as safe locations, this means that any application in these locations could run without asking for the user’s consent.
The attacker would need to leverage two legitimate features implemented in macOS, the automount (aka autofs) and the lack of specific checks.
“As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run.” wrote the expert.”By combining this design with two legitimate features of MacOS X, it will result in the complete
The autofs feature allows a user to automatically mount a network share by accessing a “special” path, in this specific case any path beginning with “/net/” (i.e. /net/evil-attacker.com/sharedfolder/).
The second feature that was exploited to include within ZIP archives symbolic links pointing to arbitrary locations, in this case, automount endpoints.
Cavallarin discovered that the software responsible for decompressing the ZIP archives does not perform any check on the symlinks.
An attacker can create a ZIP file containing a symbolic link to an automount endpoint under their control and send it to the victim. The attack scenario sees the victim downloading the archive and follows the symlink, they are redirected to the location controlled by the attacker that is also trusted by Gatekeeper.
“To better understand how this exploit works, let’s consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.” continues the expert.
“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.”
Below a video PoC of the attack:
The expert suggests as workaround to disable automount feature with the following procedure:
Cavallarin reported his findings to Apple on February 22, 2019, the tech giant likely addressed it on May 15, 2019.
“The vendor has been contacted on February 22th 2019 and it’s aware of this issue.” concludes the researcher. “This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public. ”
If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”