macOS Gatekeeper 'easily' fooled into running malicious apps, says researcher
A security researcher has detailed how a user can be tricked into running potentially malicious applications, bypassing Gatekeeper, with the disclosure three months after he's told Apple.
Security consultant Filippo Cavallarin says that a flaw in the design of macOS makes it "possible to easily bypass Gatekeeper," Apple's system that is intended to prevent users from running potentially malicious apps. He reported the flaw to Apple on February 22, 2019, and is now revealing it publicly.
"This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."
Ordinarily, if a user downloads an app from somewhere other than the Mac App Store, Gatekeeper will check that it has been code-signed by Apple and is therefore from a legitimate source. If it is not, the application does not launch and the user is told. The user can then force it to launch, but that's a positive choice and takes a little effort, it can't be done accidentally or unknowingly.
According to Cavallarin, however, this can all be circumvented. "As per-design, Gatekeeper considers both external drives and network shares as safe locations," he says, "and it allows any application they contain to run."
The idea is that once you've downloaded it and made your choice about launching the app, Gatekeeper doesn't keep checking it every time you want to open it.
However, you can be tricked or manoeuvred into mounting a network share that isn't yours and the folder in question can contain anything, including zip files with another part of the vulnerability.
"Zip archives can contain symbolic links pointing to an arbitrary location (including automount endpoints)," continues Cavallarin, "and that the software on MacOS that is responsible to decompress zip files do[es] not perform any check on the symlinks before creating them."
Consequently, if the user mounts this network share, unzips a file and clicks the link, they're opening their Macs up to problems. "Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning," concludes Cavallarin. "The way Finder is designed... makes this technique very effective and hard to spot."
Filippo Cavallarin describes himself as a "cybersecurity expert and software engineer," and works for Segment Srl, in Venice, Italy. He has spoken at TEDx Treviso about security issues.
Apple has not commented.
Security consultant Filippo Cavallarin says that a flaw in the design of macOS makes it "possible to easily bypass Gatekeeper," Apple's system that is intended to prevent users from running potentially malicious apps. He reported the flaw to Apple on February 22, 2019, and is now revealing it publicly.
"This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."
Ordinarily, if a user downloads an app from somewhere other than the Mac App Store, Gatekeeper will check that it has been code-signed by Apple and is therefore from a legitimate source. If it is not, the application does not launch and the user is told. The user can then force it to launch, but that's a positive choice and takes a little effort, it can't be done accidentally or unknowingly.
According to Cavallarin, however, this can all be circumvented. "As per-design, Gatekeeper considers both external drives and network shares as safe locations," he says, "and it allows any application they contain to run."
The idea is that once you've downloaded it and made your choice about launching the app, Gatekeeper doesn't keep checking it every time you want to open it.
However, you can be tricked or manoeuvred into mounting a network share that isn't yours and the folder in question can contain anything, including zip files with another part of the vulnerability.
"Zip archives can contain symbolic links pointing to an arbitrary location (including automount endpoints)," continues Cavallarin, "and that the software on MacOS that is responsible to decompress zip files do[es] not perform any check on the symlinks before creating them."
Consequently, if the user mounts this network share, unzips a file and clicks the link, they're opening their Macs up to problems. "Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning," concludes Cavallarin. "The way Finder is designed... makes this technique very effective and hard to spot."
Filippo Cavallarin describes himself as a "cybersecurity expert and software engineer," and works for Segment Srl, in Venice, Italy. He has spoken at TEDx Treviso about security issues.
Apple has not commented.
Comments
So this exploit is.
1) if you have a nfs share mounted (that is you mounted a windows server deliberately).
2) if the attacker knows you have a network share mounted and knows the exact path to it.
3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser).
4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder.
5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine.
Not really sure about 5. Or how that works.
This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper.
If it's as the researcher claimed -Apple ceased communication- that's their right. They may have valid reasons to do so, or it could be as you guessed and they thought the problem didn't warrant follow up. Either way, he did what he was supposed to do: disclose the vulnerability
5) what I read is that mounts are automatically made (automount feature) and possibly made to a point on a external server the hacker knows of.
This server contains malicious files which when clicked on do all kinds of nasty stuff.
The user doesn't necessarily notice the mount point (thats transparent in finder) and files on the external server may have the same name as common apps tricking the user which is looking for a specific app (name) ...
2) auto mount doesn’t work unless you have pre authorised the mount already.
The last bit about the files is true of any file downloaded to any file system. If gatekeeper has already run it won’t authorise the application associated with the file again.
I’m still not sure what the exact exploit is, except that maybe he saying auto mount is dangerous.
It’s a legitimate bug that Gatekeeper trusts ext. drives and network shares... they shouldn’t automatically be trusted. Sometime in the past Apple decided the performance hit was to much, and essentially disabled Gatekeeper in these scenarios. Dumb.
This is why Apple NEEDS a bug bounty program for macOS. The more people kicking the tires the better...
It’s disturbing that Apple isn’t willing to work with outside researchers, even after they’ve been warned of a problem. Also, no patch after 90 days? Not a good look for Apple...
Standard procedure or not, this comes across as this guy thinking Apple should drop everything to deal with this discover an issue that may not impact a very large user base.
How does he know that Apple is "dropping" his emails? That's a bold claim. He opened a ticket, they are working on it. Job done. Why should Apple keep communicating with this guy? For his own satisfaction? While it's not a nice feeling to be "ignored" by a company, I can't side with this guy on this one. It's a security issue, and doesn't warrant continual back-and-forth communication unless Apple needs more info from him.
Example of courtesy communication:
Hey, I'm 30 days out from disclosing. Do you need more time?
Heads up, 10 days from disclosure. Let me know if you want me to delay.
Haven't heard anything from you so I assume you got your issue handled. I disclose in 3 days.
I looked at the video, but it seems to me we're missing the part that shows how the user is tricked into mounting the external volume ...
I don't understand your first sentence. It is clear that a file is trusted on an external volume, it isn't clear to me how this external volume is mounted in the first place (or how a user is tricked into doing that).
You sure do love to put Apple in the worst light possible, tho.