macOS Gatekeeper Bypass Exploits Trust on Network Shares
Bypassing macOS’ Gatekeeper by leveraging trust in network shares is a trivial operation, a security researcher has discovered.
Included in macOS since 2012, the Gatekeeper security protection attempts to prevent malware from running on a Mac by enforcing code signing and verifying downloaded applications before execution.
According to security researchers Filippo Cavallarin, however, one can easily bypass Gatekeeper and execute untrusted code on a system, all without any warning being displayed to the user or their explicit permission being required.
The issue, the researcher explains, is that Gatekeeper was designed to consider both external drives and network shares as safe locations. Because of that, it will allow any application in these locations to run without asking for the user’s consent.
In order to abuse this design for malicious purposes, an attacker would need to leverage two legitimate features in macOS, namely automount (aka autofs) and the lack of specific checks in the software responsible for decompressing archives.
The first feature was designed to allow users to automatically mount a network share by accessing a “special” path. Any path beginning with “/net/” (such as /net/evil-attacker.com/sharedfolder/) can be used for the bypass, the researcher says.
The second feature allows the inclusion within ZIP archives of symbolic links pointing to arbitrary locations, including automount endpoints. The issue, however, is that the software responsible for decompressing the ZIP files does not perform any check on the symlinks.
Thus, an attack can create a ZIP file containing a symbolic link to an automount endpoint they control and send the archive to the victim. Once the victim downloads the file and follows the symlink, they are taken to a location controlled by the attacker but also trusted by Gatekeeper.
“So any attacker-controlled executable can be run without any warning. The way Finder is designed (ex. hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot,” Cavallarin notes.
The security researcher has published a video (below) to illustrate how the attack works, as well as proof-of-concept code.
A workaround to this attack is to disable automount, which can be done by editing /etc/auto_master as root, commenting the line beginning with ‘/net’ and rebooting the machine.
Cavallarin says he contacted Apple on February 22, 2019. The company was supposed to address the security bug on May 15, 2019.
“Since Apple is aware of my 90 days disclosure deadline, I make this information public,” the researcher wrote.