قالب وردپرس درنا توس
Home / Mac / Is a "Mac OS X GateKeeper bypass" what it says? – The Eclectic Light Company

Is a "Mac OS X GateKeeper bypass" what it says? – The Eclectic Light Company



From time to time it is alleged that "Gatekeeper" in macOS has been circumvented. Back in February, Filippo Cavallarin reported what he thought was a new bypass mechanism for Apple. On May 24, as Apple failed to make any changes to the MacOS 10.14.5 update, after 90 days, he released details of what he found.

Here I shall look at two specific aspects of his description: the role of the quarantine flag, which is the trigger of "Gatekeeper" to check downloaded apps, and what actually happens (or not) by signature control in this situation. My conclusion is that, although this can be circumvented by "Gatekeeper", it does not seem quite as assumed in Cavallarin's report and is essentially an architectural feature. This is not to attempt to reject their observations, but to put them into the broader context of what "Gatekeeper" actually does.

Quarantine Flags

For an app to undergo "Gatekeeper" check, the default requirement for being a "quarantine flag" is enclosed as an extended attribute (xattr) to the app bundle. I have described quarantine flag operation in detail here for apps.

It is not difficult for malicious software to exploit this: remove quarantine xattr com.apple.quarantine does not require elevated rights, and an action is performed automatically when you update an app in place using Sparkle- mechanism, for example. There are even known ways to download programs from malicious websites without basically putting xattr quarantine using a tool such as curl .

Because the quarantine mechanism rely on xattr to work, file systems that do not support xattrs, will effectively remove the flags and disable the mechanism. The best known example of a file system that can do this happens to be NFS (general). So there is a good chance that any app retrieved from an NFS share will not trigger & # 39; Gatekeeper & # 39; in any case. There has been a known limitation of & # 39; Gatekeeper & # 39; since its introduction, but does not appear to have been used as a bypass to date.

There is also another important issue: quarantine flags are only only checked when an app is launched (or a file is opened) from the Finder or via another route such as NSWorkspace which calls LaunchServices (which is the key). Executable code launched from Terminal, Shell script, or within other code, does not undergo any quarantine flag occurrence checks. The slight twist to this is that Finder usually blocks users from running scripts that have their quarantine flag set.

What happens when you run a "new" app

When an app with a quarantine flag set is run from the Finder, a number of actions occur, conveniently lumped under the term & # 39; Gatekeeper checks & # 39 ;. In Mojave, these currently include:

  • app translocation to a temporary directory;
  • a signature check called by AMFI, which can cause the app to crash immediately in case of certain errors,
  • a malware scan by XProtect;
  • displaying a confirmation dialog to the user,
  • if the controls are passed and the user agrees, the app is running;
  • If the app is running, the quarantine flag will be cleared on all executable components within that app but not removed from them.

macOS Mojave (at least) has a kickback mechanism to handle some situations similar to those described by Cavallarin: Apple Mobile File Integrity (AMFI). When an app is run from the Finder, via LaunchServices, it is checked whether it is known that this app has been run from that path before. When it has not been, a signature check should normally be called by the AMFI, but the other actions listed above are not performed. If the app's signature is found to be damaged or if the privacy confirmation fails, it causes the app to crash and the launch ends.

This can be observed if you copy an app that has been run many times before (and has removed the quarantine) and double-click to run it from a new folder. The sequence of checks is reflected in the following abbreviated log expressions, obtained from a signed, hardened and notarized app in 1

0.14.5 (times in decimal seconds):
0.358156 Finder AppKit sendAction:
0.391615 LaunchServices LaunchApplication: appToLaunch = {"ApplicationType" = "Foreground", "CFBundleExecutablePath" = "/ Volumes / External1 / Documents / 0newDownloads / MyHotApps / Signet.app / Content / MacOS / Signet" […] 0.399168 amphid Security SecTrustEvaluateIfNecessary
0.400503 trustd asynchronously retrieves CRL (http: / /crl.apple.com/root.crl) for clients (amphip [123] / 0 # -1 LF = 0)
0.400527 trustd cert [2]: AnchorTrusted = (sheet) [force]> 0
0.416269 CommCenter #I handleLSNotitifcation_sync: Application launched:

The first entry marks the last of four records of double-click, after which LaunchServices begins preparing to launch the app. Because this is from a previously unknown path, AMFI calls trustd to perform the signature check. As it goes wrong, app launch can continue and is finally notified.

It is a problem to try to do the same order with unsigned apps, but: without a certificate to check, the app must be trusted. This has been discovered by a former trustd check named by lsd (the LaunchServices Demon), which reports the absence of a signature as an error -67062:
5.395531 Finder AppKit sendAction:
5.403534 lsd Security MacOS error: -67062
5.409659 Error LaunchServices Failed to register trusted: NSOSStatusErrorDomain / -67060
5.413717 LaunchServices LaunchApplication: appToLaunch = {"ApplicationType" = "Foreground", "CFBundleExecutablePath" = "/ Volumes / External1 / Documents / 0newDownloads / MyHotApps / Lightweight-IDE 1.0a2.app/Contents/MacOS/Lightweight-IDE" […] 5.419947 taskgated Security MacOS error: -67062
5.420045 CommCenter #I handleLSNotitifcation_sync: Application launched

An earlier security evaluation for lsd reveals that the app is unsigned (error -67062) so that the AMFI cannot evaluate the integrity or signature, and l The opinion must continue in the face of that knowledge.

These controls are in any case performed only when an app is run via LaunchServices, ie Finder. So a user should not be able to run an app with a broken signature from a new location using the Finder, but they can run an app with no signature at all, and any malicious scripts or processes can run code from an app with a broken one Signature without signature checks, unless it is kind to ask for them.

Where is the vulnerability?

"GateKeeper bypass" reported by Filippo Cavallarin appears to be a combination of features that have been present since Apple first introduced "Gatekeeper" in 2007, and is a consequence of choice-based protection mechanisms. In fact, it is easier for malicious software to avoid quarantine attachments completely by using curl (for example) or just by stripping them before running unsigned code.

Finally, users must remember that these mechanisms only come into play as a result of user actions in the Finder. One way that Cavallarin's elaborate NFS automation package could be made more dangerous would be to persuade the user to run an unsigned malicious app without a quarantine flag attached, as there is currently no meaningful security check that can alert or protect the user.

In a week's time we will learn about the new security features in MacOS 10.15 finally starting to enforce long-lasting features like code signing, and if they do, they will still allow users to run their own scripts. That is the restriction that would otherwise keep Gatekeeper and protection as malware would always be able to opt out.

Easily changed to clarify the role of LaunchServices to ensure the control of quarantine flags. Thanks to Jeff Johnson @ lapcat software for pointing it out.


Source link