William Gallagher
A security researcher has detailed how a user can be tricked into running potentially malicious applications, bypassing Gatekeeper, with the disclosure three months after he's told Apple.
Security consultant Filippo Cavallarin says that a flaw in the design of macOS makes it "possible to easily bypass Gatekeeper," Apple's system that is intended to prevent users from running potentially malicious apps. He reported the flaw to Apple on February 22, 2019, and is now revealing it publicly.
"This issue was supposed to be addressed, according to the vendor, on May 15th, 2019," writes Cavallarin on his website, "but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public."
Ordinarily, if a user downloads an app from somewhere other than the Mac App Store, Gatekeeper will check that it has been code-signed by Apple and is therefore from a legitimate source. If it is not, the application does not launch and the user is told. The user can then force it to launch, but that's a positive choice and takes a little effort, it can't be done accidentally or unknowingly.
According to Cavallarin, however, this can all be circumvented. "As per-design, Gatekeeper considers both external drives and network shares as safe locations," he says, "and it allows any application they contain to run."
The idea is that once you've downloaded it and made your choice about launching the app, Gatekeeper doesn't keep checking it every time you want to open it.
However, you can be tricked or manoeuvred into mounting a network share that isn't yours and the folder in question can contain anything, including zip files with another part of the vulnerability.
"Zip archives can contain symbolic links pointing to an arbitrary location (including automount endpoints)," continues Cavallarin, "and that the software on MacOS that is responsible to decompress zip files do[es] not perform any check on the symlinks before creating them."
Consequently, if the user mounts this network share, unzips a file and clicks the link, they're opening their Macs up to problems. "Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning," concludes Cavallarin. "The way Finder is designed... makes this technique very effective and hard to spot."
Filippo Cavallarin describes himself as a "cybersecurity expert and software engineer," and works for Segment Srl, in Venice, Italy. He has spoken at TEDx Treviso about security issues.
Apple has not commented.
-m.jpg)
Charles Martin
Christine McKee
Wesley Hilliard
Malcolm Owen
Andrew Orr
Sponsored Content
14 Comments
Sounds like a whole lot of rigmarole to get this to work. Also sounds like Apple doesn’t consider this a major problem at this time or it’s going to take longer to deal with it than 90 days. So this guy says Apple stopped responding to his emails so he got mad and released the exploit to show Apple how important he is.
there is probably some way to disable network shares in offices, the rest of us won’t see them.
So this exploit is.
1) if you have a nfs share mounted (that is you mounted a windows server deliberately).
2) if the attacker knows you have a network share mounted and knows the exact path to it.
3) if you then download a zip file it will automatically open the zip (actually you can turn this feature off per browser).
4) and if then the zip file contains a symbolic link to that exact path it will open it as a folder in the finder.
5) if you then open a document on this folder (which is on the server) somehow the remote terminal has access to something or other, apparently on your machine.
Not really sure about 5. Or how that works.
This isn’t going to keep me awake at night. Nor is it anything to do with gatekeeper.