A researcher has discovered a simple method for bypassing Gatekeeper, the built-in security mechanism in macOS, enabling him to run arbitrary code on a target machine.
The method takes advantage of the fact that macOS will treat network shares and external drives as so-called safe locations for opening files and running applications, and relies on a pair of features in the operating system in order to work. Researcher Filippo Cavallarin developed the bypass and found that he was able to run untrusted code on a remote machine without any type of warning or alert to the user.
Gatekeeper is a feature in macOS that is designed to prevent untrusted or malicious apps from running. It checks for the presence of a valid signature on apps that users attempt to download and run and can be set to allow only apps from the official Apple app store to run on the machine. Gatekeeper has been part of macOS since 2012 and is part of the larger security model for Macs that is meant to protect users by restricting what kind of software can run and where those apps can come from.
Cavallarin found that because Gatekeeper treats external drives and network shares as approved locations from which to open apps, he could create a specially crafted ZIP file with a link to a network share that macOS will automount. Once a victim opens the ZIP archive and follows the link, he’s in territory the attacker controls but Gatekeeper trusts.
“As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run. By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour,” Cavallarin said in his description of the technique.
“I believe it's a quite serious issue for users since it's pretty common to believe that just opening a zip is not dangerous."
“An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink. Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot.”
A symbolic link is a special file that has a direct path to another file or directory, and Cavallarin said that combining the use of symlinks in a ZIP archive with the way that macOS handles automounts and shares would be quite an effective attack vector. He notified Apple of the issue in February and he said the company responded that it was tracking to fix the problem in a May update. However, Cavallarin said Apple representatives stopped responding to emails soon after the initial notification and a fix was not in the May security update for macOS.
“The first [time] Apple replied to me they asked me for a working proof of concept. I sent them all the infos to reproduce the issue. After a couple of days they replied that they were tracking this issue with a May 15th, 2019 disclosure and asked me to keep it private until they fix it,” Cavallarin said via email.
The attack Cavallarin developed could be particularly dangerous because many people don’t view ZIP archives as potential threats.
“I believe it's a quite serious issue for users since it's pretty common to believe that just opening a zip is not dangerous. Usually people are scared about opening pdfs, doc/xls but they feel safe opening just folders (with default configs zips are extracted automatically after download),” he said.