LAS VEGAS – By tweaking just two lines of code, a researcher stumbled on an Apple zero-day that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension on systems running Apple’s latest High Sierra operating system.
Kernel access on a Mac gives an adversary unparalleled access to a system and that can be used to fully compromise the operating system. Apple has previously blocked methods abused by hackers and malware to synthetically approve security prompts presented to the user when attempting to perform risky tasks such as loading a kernel extension. Unfortunately, Apple’s efforts, yet again, have fallen short, said said Patrick Wardle chief research officer at Digita Security, who discovered the new vulnerability and publicly shared it today during a session at DEF CON 2018.
In a previous talk, Wardle demonstrated how local, privileged attackers could leverage vulnerabilities in third-party kernel extensions in order to bypass Apple’s kernel code-signing requirements. Interestingly, the recently discovered SlingShot APT abused the same attack on Windows to bypass Microsoft’s kernel security mechanisms.
Apple’s response to this attack was to enhance the security of macOS by introducing a new security feature, named “User Assisted Kernel Extension Loading,” which requires users to manually approve the loading of any kernel extension by clicking an “allow” button in the system’s security settings UI.
Apple is well aware of the fact that in the past, attackers have used synthetic mouse clicks to bypass such security mechanisms, by programmatically interacting with such security warnings. As such, in recent versions of macOS such as High Sierra, Apple as began filtering (and selectively ignoring) synthetic events in order thwart this class of attacks and protecting security alerts.
“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over,” Wardle said.
Wardle uncovered a flaw in High Sierra OS, which half of macOS systems run that does just that. He discovered that two consecutive synthetic mouse “down” events were incorrectly interpreted by High Sierra as a manual approval.
“For some unknown reason the two synthetic mouse ‘down’ events confuse the system and the OS sees it as a legitimate click,” he said. “This fully breaks a foundational security mechanism of High Sierra.”
The OS translates the two-down sequence as mouse “down” and “up.” Worse, as a result of the translation, the “up” event appears to come directly from the OS, and thus is not filtered out. In other words, it can be abused to interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.
Wardle said he found the bug by accident when copying and pasting code.
“I was just kind of goofing around with this feature. I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”
Wardle said this loophole should serve as a wakeup to Apple when it comes to simple oversights undermining otherwise progressive High Sierra security features.
“Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”
As Apple’s User Assisted Kernel Extension Loading was only introduced in High Sierra, Wardle pointed out that this vulnerability only impact Apple’s latest version of macOS.
Moreover he noted that in Apple’s next version of macOS, Mojave, Apple has chosen to simply block all synthetic events. Though this will generically prevent attacks based on synthetic events, it also will impact applications that legitimately make use of such events.