Researchers demonstrate new methods of bypassing macOS security

Posted:
in macOS
Although Apple has taken steps to shore up the security of its macOS platform, vulnerabilities are still surfacing that could bypass some of its most important protections..

Credit: Andrew O'Hara, AppleInsider
Credit: Andrew O'Hara, AppleInsider


According to a new report from cybersecurity firm Malwarebytes, a handful of vulnerabilities and exploits shown off at the Objective by the Sea conference illustrate how Mac-targeting attacks are evolving. OBTS is the only security conference that focuses solely on Apple devices and products.

Transparency, Consent, and Control bypasses

For example, security researchers demonstrated two attacks that bypassed Apple's Transparency, Consent, and Control systems -- mechanisms that requiring user content to access specific data.

One attack involved a remote attacker with root permissions granting data access to a malicious process by simply creating a new user on the system and having that user grant the permissions. Another vulnerability leveraged mount points for disk image files. Basically, the researcher was able to modify a specific permissions database and grant TCC permissions to pretty much any process.

Another vulnerability demonstrated at the OBTS conference deals with what types of data the Mac's TCC protections defend. For example, malware can potentially collect data from the .ssh folder, which is used to store certificates that authenticate connections. This, according to Malwarebytes, could allow an attacker to "move around" an organization's infrastructure if they gained access to that folder.

macOS installers

Other attacks that made an appearance during the OBTS conference include ones that target or bypass Apple's installer protections.

The Silver Sparrow malware, for example, uses the Distribution file on a Mac system, which is used to convey information and options for an installer. JavaScript code can be run in the Distribution file, opening up a door for potential attacks.

Specifically, Silver Sparrow used a script initially meant to check if a system met installation requirements to download and install malware covertly.

Another way to bypass Apple's installation protections include payload-free installers. These are essentially installers that don't install anything. Instead, they are a shell for a script that runs an installation process.

At least two more vulnerabilities were discussed at OBTS, including installer plugins that were crafted maliciously to install payloads on a system and a flaw in macOS that could allow a Mac app to entirely bypass Gatekeeper.

More information about the vulnerabilities and the researchers who discovered them can be found on Malwarebytes' blog.


Read on AppleInsider

Comments

  • Reply 1 of 6
    sflocalsflocal Posts: 5,775member
    Good.  I have zero problem with this, if anteing maybe the slightly sensationalist headline.  Desktop OS's always have to play a balancing act between usability and flexibility and locking it down without making it unusable.

    Keep finding them, and I hope Apple patches them quickly.
    KTRelijahgkillroywatto_cobrajony0
  • Reply 2 of 6
    Andy Grant (@andywgrant) presented a vulnerability in which a remote attacker with root permissions can grant a malicious process whatever TCC permissions is desired. This process involving creating a new user on the system, then using that user to grant the permissions.
    I can see the problems with the other stuff. This one through….. if the remote attacker already has root permissions, isn’t that the main problem? Originally, root had permission to do anything. It is only with later versions that Apple removed all access for root accounts and yet people complained. By pushing Apple to remove more ability from root, some things will not work. 
    elijahgapplguykillroyrcfaFileMakerFellerwatto_cobrajony0
  • Reply 3 of 6
    digitoldigitol Posts: 245member
    Mac OS Security is a joke. They heavily heavily rely on obscurity, and deploy mechanisms that simply are not well structured, or fully checked all the way up the chain.  Sigh. 


    sudo mount -o nobrowse -t apfs /dev/disk
    Targetdisk /nonroot

    Codesign —force -deep -sign targetApp





  • Reply 4 of 6
    lkrupplkrupp Posts: 9,557member
    digitol said:
    Mac OS Security is a joke. They heavily heavily rely on obscurity, and deploy mechanisms that simply are not well structured, or fully checked all the way up the chain.  Sigh. 


    sudo mount -o nobrowse -t apfs /dev/disk
    Targetdisk /nonroot

    Codesign —force -deep -sign targetApp





    Then why don’t we see reports of massive breakouts? Same goes for Windows and Linux.
    killroywatto_cobrajony0
  • Reply 5 of 6
    rcfarcfa Posts: 1,113member
    digitol said:
    Mac OS Security is a joke. They heavily heavily rely on obscurity, and deploy mechanisms that simply are not well structured, or fully checked all the way up the chain.  Sigh. 


    sudo mount -o nobrowse -t apfs /dev/disk
    Targetdisk /nonroot

    Codesign —force -deep -sign targetApp

    And the problem is where? If you’re allowed to sudo, then of course you should be able to do the rest, that’s the whole point of being an admin user: you’re supposed to know what you’re doing!
    tokyojimumuthuk_vanalingamFidonet127FileMakerFellerwatto_cobrajony0
  • Reply 6 of 6
    rcfa said:
    digitol said:
    Mac OS Security is a joke. They heavily heavily rely on obscurity, and deploy mechanisms that simply are not well structured, or fully checked all the way up the chain.  Sigh. 


    sudo mount -o nobrowse -t apfs /dev/disk
    Targetdisk /nonroot

    Codesign —force -deep -sign targetApp

    And the problem is where? If you’re allowed to sudo, then of course you should be able to do the rest, that’s the whole point of being an admin user: you’re supposed to know what you’re doing!
    Fool the user into providing authentication for your script and you temporarily have root access, which you can use to install software that runs with root privileges.
Sign In or Register to comment.