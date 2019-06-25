A VULNERABILITY in macOS' Gatekeeper tool is being actively exploited out in the wild, though it appears to have only been part of a test by an adware company.

Last month, security researcher Filippo Cavallarin discovered and made public a way to bypass the macOS' Gatekeeper function, which is security tool that immediately goes to work on verifying an app once it's been downloaded to make sure its code has been signed as legit by Apple.

But Cavallarin found that the way Gatekeeper does this isn't all that secure as it will consider external drives and network shares as 'safe locations' for apps. That means any apps in those locations can be run without the code being checked again.

By tricking a victim into mounting a network share drive, anything in the folder relating to the drive could be run without Gatekeeper checking them, which effectively would open a macOS machine to malicious apps and code.

Cavallarin explained that the Gatekeeper bypass works by exploiting legitimate process, the first of which is the automount feature that allows a user to automatically mounts a network share by accessing a "special" path which could have macOS read a folder on a remote host.

The second legit feature is that zip archives contain symbolic links pointing to an arbitrary location, notably automount locations, and that the bits of macOS responsible for decompressing zip files won't' perform any checks before creating them.

If that's turning your noggin into mush, Cavallarin has an example of how the Gatekeeper bypass could work.

"An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink," said Cavallarin.

"Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot."

Cavallarin noted that he alerted Apple to the problem in February, and Cupertino's code wranglers were meant to have fixed it with macOS 10.14.5. But that doesn't appear to have happened, as security company Intego has discovered an example of it being used.

"Early last week, Intego's malware research team discovered the first known uses of Cavallarin's vulnerability, which seem to have been used—at least at first—as a test in preparation for distributing malware," Intego's chief security analyst Joshua Long explained.

"Although Cavallarin's vulnerability disclosure specifies a .zip compressed archive, the samples analysed by Intego were actually disk image files. It seems that malware makers were experimenting to see whether Cavallarin's vulnerability would work with disk images, too.

"The disk image files were either an ISO 9660 image with a .dmg file name, or an actual Apple Disk Image format .dmg file, depending on the sample. Normally, an ISO image has a .iso or .cdr file name extension, but .dmg (Apple Disk Image) files are much more commonly used to distribute Mac software."

Intego found four examples of such files being uploaded anonymously; one of which seemed to be uploaded by someone in Israel and another from the US, though the security company reckons these flies are from a single user trying to mask their location.

As one of the disk image files was signed by an Apple Developer ID, Long said it was evident that it was "the handiwork of the developers of the OSX/Surfbuyer adware".

Long also noted that by the tie the disk images were discovered the network file system (NSF) server hosting the macOS app referenced by the images was no longer online. This would indicate that the whole thing was more of a test of the Gatekeeper bypass than a malicious attack.

But Long said that doesn't rule out the case that the whole thing could have been malicious: "There are a number of clear indicators of foul play. The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware."

Intego alerted Apple to the whole thing, and Tim Cook's crew is apparently in the process of revoking the developer certificate linked to the ID behind the disk images.

Checking for infected Macs in an organisation's network means checking for machines connected to the IP address 108.168.175.167 over network file system ports between 24 May and 18 June.

"More broadly, if you know that your users should never need to connect to public-facing NFS servers, you can look for indications of recent connections to any non-private IP address on NFS ports, as a means of potentially finding other variations of the attack," said Long.

To mitigate the potential for an attack via the Gatekeeper bypass, network admins can lock down their network to prevent dodgy connections to NFS servers with external IP addresses, particularly if such connections are not needed.

"For home users, unfortunately, there isn't a simple solution for preventing this type of attack, until or unless Apple releases a macOS security update to mitigate the vulnerability," said Long, though he did recommend Cavallarin's temporary mitigation.

So the long and short of it is Apple will need to push out a security update for macOS before dodgy hackers get wind of the Gatekeeper bypass and get cracking at it. µ