«
»

Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF?

There’s a new macOS Mojave vulnerability that has been disclosed. The vulnerability is that there is a way to bypass the Gatekeeper security functionality of macOS. Filippo Cavallarin has publicized this vulnerability today after the 90 day window that Apple had to fix it expired. Here’s the details:

The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”.

For example ‘ls /net/evil-attacker.com/sharedfolder/’ will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.

The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.

Here’s an example of how this would work:

To better understand how this exploit works, let’s consider the following scenario: An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.

The victim downloads the malicious archive, extracts it and follows the symlink.

Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.

And there’s a video showing the exploit in action:

At this point the vulnerability is unpatched in macOS Mojave 10.14.5. What’s worse is Cavallarin says Apple has stopped responding to his emails. Which is shameful on Apple’s part. For a company who claims to want to protect their users, you would expect better from them.

This entry was posted on May 25, 2019 at 6:12 pm and is filed under Commentary with tags . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF?”

  1. Another Unpatched Vulnerablity Exists In macOS Mojave | The IT Nerd Says:
    June 3, 2019 at 11:55 am

    […] off the heels of this vulnerability that Apple hasn’t seen fit to fix comes another one that I would rate as dangerous and is […]

    Reply
  2. Shapla.co.kr Says:
    June 21, 2019 at 6:57 am

    Shapla.co.kr

    Unpatched macOS Mojave Vulnerability Exposed…. And Apple Hasn’t Fixed It…WTF? | The IT Nerd

    Reply
  3. Unpatched macOS Mojave Vulnerability Now Being Exploited In The Wild | The IT Nerd Says:
    June 25, 2019 at 9:38 am

    […] might recall that I told you about a macOS Mojave vulnerability in which there is a way to bypass the Gatekeeper security functionality of macOS. And what’s […]

    Reply

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading