Black Hat 2020: ‘Zero-Click’ MacOS Exploit Chain Uses Microsoft Office Macros

macos bypass exploit chain

At Black Hat 2020, Patrick Wardle disclosed an exploit chain that bypasses Microsoft’s malicious macros protections to infect MacOS users.

A new “zero-click” MacOS exploit chain could allow attackers to deliver malware to MacOS users using a Microsoft Office document with macros. The attack bypasses security measures that both Microsoft and Apple have put in place to protect MacOS users from malicious macros.

The exploit chain, revealed by Patrick Wardle, principal security researcher with Jamf, at Black Hat USA 2020, runs macros without an alert or prompt from the Microsoft Office application that prompts explicit user approval – meaning that when a user opens the document, the macro is automatically executed.

“As the current [macros-based] attacks are lame… I wanted to make them ‘better’ to raise awareness about this attack vector, and also highlight how it could easily be worse,” Wardle told Threatpost. “I found a sandbox escape and a bypass of Apple’s new notarization requirements, and combined that with another zero day (from another researcher) to make a full ‘zero-click’ exploit chain.”

Wardle notified both Microsoft and Apple about his findings. Apple patched the flaws with the release of MacOS 10.15.3, but told Wardle “this issue does not qualify for a CVE.” Microsoft meanwhile told Wardle that the exploit chain was an issue “on the Apple side.”

Current Macro-Based Attacks

A macro is a snippet of executable code that can be added to Microsoft Office documents, generally used to accomplish a task automatically.  However, macros are also commonly abused by cybercriminals, who use them for delivering a malicious payload to the endpoint because they can be allowed with a simple, single mouse-click on the part of the user when prompted.

MacOS exploit chain

Credit: Patrick Wardle

Microsoft has attempted to block macros-based attacks. The tech giant has disabled them in Microsoft Office by default, so a user gets an alert if they are enabling macros. Microsoft also debuted a feature that sandboxed more recent versions of Microsoft Office applications that are running on modern versions of macOS – so even if (malicious) macros are inadvertently allowed to run, they will find themselves running in a highly restrictive sandbox.

From Apple’s end, the company has created notarization checks to prevent potentially malicious code – downloaded from the internet – from executing on MacOS systems. Notarizing is an automated system that scans software for malicious content and checks for code-signing issues.  Due to these current protections, previous macros-based exploits have had little success.

However, Wardle’s exploit chain bypassed all of these security protections.

Exploit Chain

The first step in Wardle’s chain was a previously-disclosed high-severity vulnerability, CVE-2019-1457, which is a security bypass in Microsoft Office by not enforcing macro settings on an Excel document. The vulnerability results in XML macros that are in the symbolic link (SYLK) file format being automatically executed in Office 11 for Mac. This vulnerability still affects more recent versions of Office for Mac (if users enabled the “disable all macros without notification” options), the CERT Coordination Center warned last year.

macOS exploit chain

Credit: Patrick Wardle

Next, Wardle leveraged a sandbox escape that was released in mid-2018. This sandbox escape abused a sandbox exception in Office app’s sandbox profile. When it was first released, Microsoft patched the flaw by only denying file creations (deny file-write) in the user’s Application Scripts and LaunchAgents directory.

However, “this means that from the sandbox (e.g. via macro code), we can still create files (ending in ~$something) almost anywhere,” said Wardle.

Finally, the exploit chain ended with a full bypass of Apple’s notarization requirements. Wardle was able to do so by abusing the Archive Utility app in MacOS. He used a login item zip archive ~/Library/ that was automatically extracted (outside the sandbox) via the Archive Utility.

“If the LaunchAgent directory does not exist (which it does not on a default install of macOS), it will be created, with our launch agent inside it,” he said. “In other words, we’ve just found a way to create a launch agent, that on the next login will automatically executed by macOS. With an ability to create a launch agent (that will launch an interactive remote shell), it’s game over.”

What this exploit chain means for an end user is that if they receive a Microsoft Office document and attempt to open it, the executable will automatically run: “Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system,” Wardle said.

More MacOS Macros-Based Attacks

Wardle warned that macros-based attacks, while traditionally targeting Windows users, have become increasingly more common on MacOS systems.

For instance, in 2019 the infamous Lazarus APT group was observed using macro-laden Office documents to target macOS users. In 2017, researchers uncovered a malicious Word document, designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it’s opened.

“In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However, on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community,” said Wardle.

Check out Threatpost’s live Black Hat USA 2020 coverage, including news interviews, threat research updates and more, here.

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.

Suggested articles