Bypassing OS X Security Tools is Trivial, Researcher Says

SAN FRANCISCO–For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn’t much of a challenge at all.

Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.

“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”

Backing up Gatekeeper is XProtect, Apple’s anti-malware system for OS X. Malware isn’t a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.

“It’s trivial to bypass XProtect,” he said.

OS X also now includes a sandbox, which Wardle said is well-designed, but there are a number of known kernel-level OS X vulnerabilities that can bypass the sandbox, as well. Google’s Project Zero has discovered and published several such bugs, and Wardle said using any one of them gets him the ability to bypass the sandbox.

“While the core sandbox technology is strong, there are plenty of bugs that can bypass it,” he said.

One of the other key security technologies in OS X is the use of code signing. However, it’s not much of a task to get around that requirement, Wardle said.

“The code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run,” he said. “I can unsign a signed app and the loader has no way to stop it from running.”

Starting with OSX Mavericks, all of the code that runs in the kernel has to be signed. But the mechanism that checks for the signature is flawed, too, Wardle said.

“The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”

On the whole, the security tools in OS X don’t present much of a challenge for attackers right now, Wardle said.

“If Macs were totally secure, I wouldn’t be here talking,” Wardle said. “It’s trivial for any attacker to bypass the security tools on Macs.”

Suggested articles

Discussion

  • dan on

    Patrick Wardle is talking out if his ass. He's basically saying if a program runs arbitrary code, then arbitrary code might run. Wow so insightful.
    • stan on

      No he is not. He is saying that if the security features allow the execution of arbitrary code then that code is not secure.
    • Anonymous on

      No, what he's saying is that security is poorly implemented. Gatekeeper doesn't verify anything but a core application bundle, but you can poison an application without modifying the bundle. OSX Sandboxes are easy to escape, making them ineffective. Kernel code signatures can be bypassed by not existing, or even tampered with by the current user. Malware scans only for explicit hashes, which are easy to change. These are all gaping holes in their flaghsip security features.
    • patrick on

      Dan, I was simply trying to point out that OS X's built-in security/malware mitigations clearly fail at what they were designed to to. For example, Gatekeeper was designed to prevent/block all unsigned downloaded code (e.g. in a .dmg) from being executed. I described how to create a downloadable (or injectable) .dmg that would contain unsigned code that would bypass Gatekeeper and be allowed to execute. Another example, guest/non-admin users on a fully-patched OS X system should not be able to get root privs. I showed how any local user could elevate their privileges to root (video/demo of this: https://vimeo.com/125345793). As an OS X user, I find these issues quite insightful ;)
    • mofo on

      And where did you read that? Are u a product of common core education?
  • RandomGuy on

    Flawed research. Filevault2/non-admin main account + built in OS X Firewall stops 99.99% of the issues presented in this article.
  • John on

    Even with all this being true, how does this affect the Mac user who is concerned about their security? If you have 2 brain cells to rub together then you know the back end of OS X is BSD. Learn to lock down a BSD box and you don't have to worry if the OS X specific security features work.
  • Apple on

    @dan Ánd you are of course a security expert? Maybe you shouldn't stick your head in the sand, and actually face the truth about Mac poor securtiy instead.
  • Dodot on

    Prove it.
  • Paul McCann on

    Hi I wish to say that having been a Microsoft user with all its problems and now going over to Apple products it's like night or day , Microsoft does need antivirus product's, Apple does not, Apple just works right out-of-the-box, have you ever heard this " plug and pray " that doesn't apply to Apple also and I could get a war and I could go on but I think you get what I am saying . So here is a question for you what would you use Microsoft or Apple ?
  • Paul McCann on

    Delete that part from,"and I could get a war"
  • FLOSSuser on

    @Paul McCann - Linux. The kernel is in the middle of a MASSIVE security overhaul, which will leave even an android phone locked up like fort knox compared to your iMac. There is no "plug and pray". Driver support for what's out there for hardware is better than what you get from a mac. If I have problems, I can fix them myself.
  • TED on

    I love how fanboys bash the malware researchers and corporate pentesters ( grayhats) saying they are clueless on a statement or a way to hack OS X. When really there are probably 30 other ways to do the exact same thing from another vul or another process if you spend the time. BSD smee-SD, it is it's base , but that means nothing when everything on top of it is Swiss Cheese. We are talking OS X has its BSD frame, but OS X is a ford truck made out of Swiss Cheese in a 3 day rain storm. The frame is going to get rusty!
07/23/18 2:00
Chinese actors attempted to launch a cyberespionage campaign via #IoT devices during the #TrumpPutin summit: https://t.co/YFHJYMjZiQ

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.