Application Security , Incident & Breach Response , Managed Detection & Response (MDR)

Researcher Finds New Way Around Apple's Gatekeeper

Gatekeeper Bypass Could Be Used to Deliver Malware
Researcher Finds New Way Around Apple's Gatekeeper
Photo: Thunderclap.io

A security researcher has discovered a way to skirt around an Apple security feature that could be leveraged to trick people into downloading a malicious application.

See Also: AI and ML: Ushering in a new era of network and security

The researcher, Filippo Cavallarin, published details of the issue on his website after giving Apple a 90-day disclosure period. Cavallarin is CEO and chief security researcher at Segment, a cybersecurity company based near Venice, Italy.

The issue concerns Gatekeeper, which is Apple's feature for keeping bad apps off a machine. Gatekeeper, which was launched in 2012 with OSX Mountain Lion, checks if an application has a digital signature from Apple, which means the app is trusted. Untrusted apps are blocked or require more user interaction to run.

Gatekeeper, which is in System Preference under Security & Privacy, brokers what kind of apps can be executed.

Cavallarin's method takes advantage of trust that's built into Gatekeeper. For example, Gatekeeper considers external drives and network shares to be "safe" locations to run apps from, Cavallarin writes.

But this is actually problematic. The automount feature allows a user to mount a network share via any path that starts with /net/, Cavallarin writes. The file path could be written to include a hostile destination, such as this: /net/evil-attacker.com/sharedfolder/.

There's also another legitimate behavior that can also be abused. Cavallarin writes that a zip archive can contain a symbolic link, which is essentially a file path. When the zip archive is unpacked, macOS doesn't check the symbolic links, he writes.

Working Exploit

The exploit would work like this: An attacker sends a zip file to a victim with a symbolic link that leads to an end point the attacker controls. The victim unpacks the archive and follows the link, Cavallarin writes.

"Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning," he writes. "The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot."

A demonstration of the Gatekeeper exploit that results in a reverse shell

Apple officials contacted in Sydney on Tuesday didn't have an immediate comment. Cavallarin writes he reached out to Apple on Feb. 22 and understood the issue was to be fixed by May 15, "but Apple started dropping my emails."

Cavallarin tells ISMG on June 5 that Apple apologized for not getting back to him and says the bug will be fixed in an upcoming release.

Expert: 'Broader Attack Capabilities'

Gatekeeper bypasses have been found before by Patrick Wardle, a macOS security expert who is co-founder of Digita Security. Wardle has also create a suite of free, specialized tools for macOS on his Objective-See website.

Wardle tells ISMG that Gatekeeper was designed to essentially protect users from themselves, such as if someone downloaded an app that looked legitimate but turned out to be malicious, such as a fake updater or a document.

Patrick Wardle's report

"Being able to bypass Gatekeeper in this scenario definitely opens up some broader attack capabilities and could be used in one such attacks (i.e. tricking users into downloading and running malware)," he says.

Gatekeeper's overly trusting nature has been noted by Wardle, who described how it works in a paper he presented at the Virus Bulletin conference in 2014.

When an app is downloaded from the internet, Gatekeeper attaches a quarantine attribute to it. But there are quite a few scenarios in which that attribute may not be set, posing risks to users.

Mitre's ATT&CK knowledge database summarizes the research around Gatekeeper, including Wardle's: "Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won't set this flag. Additionally, other utilities or events like drive-by downloads don't necessarily set it either. This completely bypasses the built-in Gatekeeper check."


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.