macOS Gatekeeper 'easily' fooled into running malicious apps, says researcher

Posted:
in General Discussion edited May 25
A security researcher has detailed how a user can be tricked into running potentially malicious applications, bypassing Gatekeeper, with the disclosure three months after he's told Apple.




Security consultant Filippo Cavallarin says that a flaw in the design of macOS makes it "possible to easily bypass Gatekeeper," Apple's system that is intended to prevent users from running potentially malicious apps. He reported the flaw to Apple on February 22, 2019, and is now revealing it publicly.

"This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."

Ordinarily, if a user downloads an app from somewhere other than the Mac App Store, Gatekeeper will check that it has been code-signed by Apple and is therefore from a legitimate source. If it is not, the application does not launch and the user is told. The user can then force it to launch, but that's a positive choice and takes a little effort, it can't be done accidentally or unknowingly.

According to Cavallarin, however, this can all be circumvented. "As per-design, Gatekeeper considers both external drives and network shares as safe locations," he says, "and it allows any application they contain to run."

The idea is that once you've downloaded it and made your choice about launching the app, Gatekeeper doesn't keep checking it every time you want to open it.

However, you can be tricked or manoeuvred into mounting a network share that isn't yours and the folder in question can contain anything, including zip files with another part of the vulnerability.

"Zip archives can contain symbolic links pointing to an arbitrary location (including automount endpoints)," continues Cavallarin, "and that the software on MacOS that is responsible to decompress zip files do[es] not perform any check on the symlinks before creating them."






Consequently, if the user mounts this network share, unzips a file and clicks the link, they're opening their Macs up to problems. "Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning," concludes Cavallarin. "The way Finder is designed... makes this technique very effective and hard to spot."

Filippo Cavallarin describes himself as a "cybersecurity expert and software engineer," and works for Segment Srl, in Venice, Italy. He has spoken at TEDx Treviso about security issues.

Apple has not commented.

Comments

  • Reply 1 of 14
    lkrupplkrupp Posts: 7,062member
    Sounds like a whole lot of rigmarole to get this to work. Also sounds like Apple doesn’t consider this a major problem at this time or it’s going to take longer to deal with it than 90 days. So this guy says Apple stopped responding to his emails so he got mad and released the exploit to show Apple how important he is. 
    jony0
  • Reply 2 of 14
    asdasdasdasd Posts: 5,293member
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    edited May 25
  • Reply 3 of 14
    lkrupp said:
    Sounds like a whole lot of rigmarole to get this to work. Also sounds like Apple doesn’t consider this a major problem at this time or it’s going to take longer to deal with it than 90 days. So this guy says Apple stopped responding to his emails so he got mad and released the exploit to show Apple how important he is. 
    It really has nothing to do with showing how important he is.  It has long been standard operating procedure to withhold vulnerability details for 90 days to give the vendor time to mitigate the issue.  At the end of 90 days the researcher either discloses details or gives the vendor more time if it's needed.  The key is communicating the need for more time; which he claims Apple didn't do and they stopped communicating altogether.  The 90 day deadline is there to encourage vendors to clean up their software in a timely manner so that we're all collectively less vulnerable.  

    If it's as the researcher claimed -Apple ceased communication- that's their right.  They may have valid reasons to do so, or it could be as you guessed and they thought the problem didn't warrant follow up.  Either way, he did what he was supposed to do: disclose the vulnerability

    dysamoriaivanhviclauyycemoeller
  • Reply 4 of 14
    knowitallknowitall Posts: 1,322member
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    dysamoria
  • Reply 5 of 14
    asdasdasdasd Posts: 5,293member
    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    1) yes that’s right. Brain fart. 
    2) auto mount doesn’t work unless you have pre authorised the mount already. 

    The last bit about the files is true of any file downloaded to any file system. If gatekeeper has already run it won’t authorise the application associated with the file again. 

    I’m still not sure what the exact exploit is, except that maybe he saying auto mount is dangerous. 
  • Reply 6 of 14
    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    You can make a local file appear (mount) as a ext. volume bypassing Gatekeeper.  Somebody will eventually exploit this...

    It’s a legitimate bug that Gatekeeper trusts ext. drives and network shares... they shouldn’t automatically be trusted.  Sometime in the past Apple decided the performance hit was to much, and essentially disabled Gatekeeper in these scenarios. Dumb.

    This is why Apple NEEDS a bug bounty program for macOS.  The more people kicking the tires the better...

    It’s disturbing that Apple isn’t willing to work with outside researchers, even after they’ve been warned of a problem.  Also, no patch after 90 days?  Not a good look for Apple... 


  • Reply 7 of 14
    dysamoriadysamoria Posts: 2,139member
    lkrupp said:
    Sounds like a whole lot of rigmarole to get this to work. Also sounds like Apple doesn’t consider this a major problem at this time or it’s going to take longer to deal with it than 90 days. So this guy says Apple stopped responding to his emails so he got mad and released the exploit to show Apple how important he is. 
    Congratulations. You over-simplified a summary of the article, while inserting an ad hominem attack to discredit the person reporting a security workaround that you’ve dismissed as irrelevant. What are you, Fox News?
    1STnTENDERBITSMplsP
  • Reply 8 of 14
    coolfactorcoolfactor Posts: 1,461member

    "This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."

    Standard procedure or not, this comes across as this guy thinking Apple should drop everything to deal with this discover an issue that may not impact a very large user base.  

    How does he know that Apple is "dropping" his emails? That's a bold claim. He opened a ticket, they are working on it. Job done. Why should Apple keep communicating with this guy? For his own satisfaction? While it's not a nice feeling to be "ignored" by a company, I can't side with this guy on this one. It's a security issue, and doesn't warrant continual back-and-forth communication unless Apple needs more info from him.
  • Reply 9 of 14

    "This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."

    Standard procedure or not, this comes across as this guy thinking Apple should drop everything to deal with this discover an issue that may not impact a very large user base.  

    How does he know that Apple is "dropping" his emails? That's a bold claim. He opened a ticket, they are working on it. Job done. Why should Apple keep communicating with this guy? For his own satisfaction? While it's not a nice feeling to be "ignored" by a company, I can't side with this guy on this one. It's a security issue, and doesn't warrant continual back-and-forth communication unless Apple needs more info from him.
    How did you interpret what he said as "Apple should drop everything?"  It's responses like yours and lkrupp's that make researchers detail every move they make, and even when they do detail everything, we get what we got from you guys.  Do you not know the subject matter?  The researcher trying to reach out to the vendor as the deadline gets closer... yeah, that's a courtesy not a requirement.  Nowhere does he say anything about wanting a continual back-and-forth.  That's coolfactor narrative building.  Just like lkrupp's "wanting to feel important".  

    Example of courtesy communication:
    Hey, I'm 30 days out from disclosing.  Do you need more time?  
    Heads up, 10 days from disclosure.  Let me know if you want me to delay.
    Haven't heard anything from you so I assume you got your issue handled.  I disclose in 3 days.




  • Reply 10 of 14
    kimberlykimberly Posts: 217member
    dysamoria said:
    lkrupp said:
    Sounds like a whole lot of rigmarole to get this to work. Also sounds like Apple doesn’t consider this a major problem at this time or it’s going to take longer to deal with it than 90 days. So this guy says Apple stopped responding to his emails so he got mad and released the exploit to show Apple how important he is. 
    Congratulations. You over-simplified a summary of the article, while inserting an ad hominem attack to discredit the person reporting a security workaround that you’ve dismissed as irrelevant. What are you, Fox News?
    I admit to having to look up 'ad hominem' and that latin phrase really hits the nail on the head :).  I'm a bit more 'earthy' and what flashed before my eyes was a scene with the radio DJ in the film 'Good Morning Vietnam'.
  • Reply 11 of 14
    knowitallknowitall Posts: 1,322member
    asdasd said:
    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    1) yes that’s right. Brain fart. 
    2) auto mount doesn’t work unless you have pre authorised the mount already. 

    The last bit about the files is true of any file downloaded to any file system. If gatekeeper has already run it won’t authorise the application associated with the file again. 

    I’m still not sure what the exact exploit is, except that maybe he saying auto mount is dangerous. 
    Your right (about 2) so it must be something else.
    I looked at the video, but it seems to me we're missing the part that shows how the user is tricked into mounting the external volume ...
  • Reply 12 of 14
    knowitallknowitall Posts: 1,322member

    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    You can make a local file appear (mount) as a ext. volume bypassing Gatekeeper.  Somebody will eventually exploit this...

    It’s a legitimate bug that Gatekeeper trusts ext. drives and network shares... they shouldn’t automatically be trusted.  Sometime in the past Apple decided the performance hit was to much, and essentially disabled Gatekeeper in these scenarios. Dumb.

    This is why Apple NEEDS a bug bounty program for macOS.  The more people kicking the tires the better...

    It’s disturbing that Apple isn’t willing to work with outside researchers, even after they’ve been warned of a problem.  Also, no patch after 90 days?  Not a good look for Apple... 


    I don't understand your first sentence. It is clear that a file is trusted on an external volume, it isn't clear to me how this external volume is mounted in the first place (or how a user is tricked into doing that).
  • Reply 13 of 14
    macxpressmacxpress Posts: 4,861member
    knowitall said:

    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    You can make a local file appear (mount) as a ext. volume bypassing Gatekeeper.  Somebody will eventually exploit this...

    It’s a legitimate bug that Gatekeeper trusts ext. drives and network shares... they shouldn’t automatically be trusted.  Sometime in the past Apple decided the performance hit was to much, and essentially disabled Gatekeeper in these scenarios. Dumb.

    This is why Apple NEEDS a bug bounty program for macOS.  The more people kicking the tires the better...

    It’s disturbing that Apple isn’t willing to work with outside researchers, even after they’ve been warned of a problem.  Also, no patch after 90 days?  Not a good look for Apple... 


    I don't understand your first sentence. It is clear that a file is trusted on an external volume, it isn't clear to me how this external volume is mounted in the first place (or how a user is tricked into doing that).
    Like most macOS exploits...it involves a specific circumstance that most users would never encounter. XYZ always has to be present first before something can happen unlike Windows where it just happens in the background. 
    lkruppStrangeDays
  • Reply 14 of 14
    StrangeDaysStrangeDays Posts: 7,570member
    knowitall said:
    asdasd said:
    there is probably some way to disable network shares in offices, the rest of us won’t see them. 

    So this exploit is. 

    1) if you have a nfs share mounted (that is you mounted a windows server deliberately). 
    2) if the attacker knows you have a network share mounted and knows the exact path to it. 
    3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser). 
    4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder. 
    5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine. 

    Not really sure about 5. Or how that works. 

    This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper. 

    1) windows shares are samba not nfs (thas a Unix network file system share)

    5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
    This server contains malicious files which when clicked on do all kinds of nasty stuff.
    The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
    You can make a local file appear (mount) as a ext. volume bypassing Gatekeeper.  Somebody will eventually exploit this...

    It’s a legitimate bug that Gatekeeper trusts ext. drives and network shares... they shouldn’t automatically be trusted.  Sometime in the past Apple decided the performance hit was to much, and essentially disabled Gatekeeper in these scenarios. Dumb.

    This is why Apple NEEDS a bug bounty program for macOS.  The more people kicking the tires the better...

    It’s disturbing that Apple isn’t willing to work with outside researchers, even after they’ve been warned of a problem.  Also, no patch after 90 days?  Not a good look for Apple...
    Please, you don’t know anything about why they stopped communicating with the person if it’s true. As others suggested there may be reasons, including it not being considered a high-risk exploit. 

    You sure do love to put Apple in the worst light possible, tho. 
Sign In or Register to comment.