AppleInsider reports that a vulnerability first disclosed to Apple three months ago remains unpatched, and now the security researcher who found it has gone public.
Filippo Cavallarin has published details of how the vulnerability enables a user to be tricked into running malicious applications, bypassing the Gatekeeper function in the process.
Gatekeeper is the Apple mechanism that has, since 2012, been enforcing the code signing and verification of application downloads.
If a user were to download an app outside of the Mac App Store, then Gatekeeper would kick in and prevent it from running without the express consent of the user. In theory anyway.
Cavallarin says that, on macOS X version 10.14.5 (Mojave) and below, it is possible to “easily bypass Gatekeeper to execute untrusted code without any warning or user’s explicit permission.”
According to Cavallarin, he contacted Apple on February 22, and the vendor is aware of the issue.
It was, he says, “supposed to be addressed, according to the vendor, on May 15, but Apple started dropping my emails.” As a 90-day disclosure deadline, which he says Apple is aware of, has now passed, Cavallarin has made details of the vulnerability public.
How can the vulnerability be exploited?
The vulnerability itself is a design issue that revolves around the fact that Gatekeeper considers external drives and network shares as being “safe locations,” allowing apps they contain to be run. By combining this fact with the automount feature to mount a network share using a “special” path and the functionality that means zip archives can point to automount endpoints and decompress them without checking on these symbolic links, the vulnerability can be exploited. Cavallarin uses the example of an attacker crafting a zip file with a symbolic link to an automount endpoint under their control and sending this to the victim who downloads and extracts it following that symbolic link. “Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning,” Cavallarin states. There’s a video here that shows the exploit in action.
What is the risk level?
Given that macOS X version 10.14.5 was only released a couple of weeks ago, there are going to be plenty of people who are yet to update their systems or are running much older versions of macOS and so are at risk. “As an attacker, you still need to trick the victim into downloading the malicious payload first,” ethical hacker John Opdenakker told me, “it’s a good reminder though that you always keep your OS patched.”