Security researcher Filippo Cavallarin has published what he says is a way to bypass the security feature of the gatekeeper of macOS. The detour remains unaddressed by Apple from last week's MacOS 10.14.5 release.
Sylvania HomeKit Light Strip
Gatekeeper is a macOS security tool that verifies applications immediately after they are downloaded. This prevents applications from running without the user's consent. When a user downloads an app from outside the Mac App Store, Gatekeeper is used to verify that the code is signed by Apple. If the code is not signed, the app will not open without the user giving direct permission.
Cavallarin writes on his blog that the gatekeeper functionality can be completely bypassed. In its current implementation, Gatekeeper considers both external stations and network shares as "secure locations". This means that it allows all applications in these locations to run without re-checking the code. He goes on to explain that the user can "easily" be fooled into mounting the network action and that everything in that folder can pass the Gatekeeper.
Security researcher explains:
The first legit function is automation (aka autofs) that allows a user to automatically mount a network share just by accessing a "special" path, in this case any path that begins with "/net/".
For example, & # 39; /net/evil-attacker.com/ sharedfolder / & # 39; will make us read the content of & # 39; shared folder on the remote host (evil-attacker.com) using NFS.
The other legit function is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS responsible for decompressing zip files does not perform any control on symlinks before they are created .
An example of how this would work:
To better understand how this exploit works, let us consider the following scenarios:
An attacker handles a zip file containing a symbolic link to an automount endpoint that he / she controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, excerpt it follows the symlink.
Now the victim is in a place controlled by the attacker, but cleared by the Gatekeeper, so that any attacker-driven executable can run without warning. The way the Finder is designed (hides .app extensions, hiding full path from the title bar) makes this technique very effective and difficult to see.
Cavallarin said he informed Apple of this error on February 22, and that the company was supposed to address it with the release of macOS 10.14.5 last week. However, from that release, the loopholes remain unaddressed and Cavallarin says Apple has stopped responding to the emails. He publishes the error today as the 90-day window he gave Apple has lasped.
See a video demonstration of the error below:
Subscribe to 9to5Mac on YouTube for more Apple news: