Bypassing macOS’ Gatekeeper by leveraging trust in network shares is a trivial operation, a security researcher has discovered.
Included in macOS since 2012, the Gatekeeper security protection attempts to prevent malware from running on a Mac by enforcing code signing and verifying downloaded applications before execution.
According to security researchers Filippo Cavallarin, however, one can easily bypass Gatekeeper and execute untrusted code on a system, all without any warning being displayed to the user or their explicit permission being required.
The issue, the researcher explains, is that Gatekeeper was designed to consider both external drives and network shares as safe locations. Because of that, it will allow any application in these locations to run without asking for the user’s consent.
In order to abuse this design for malicious purposes, an attacker would need to leverage two legitimate features in macOS, namely automount (aka autofs) and the lack of specific checks in the software responsible for decompressing archives.
The first feature was designed to allow users to automatically mount a network share by accessing a "special" path. Any path beginning with "/net/" (such as /net/evil-attacker.com/sharedfolder/) can be used for the bypass, the researcher says.
The second feature allows the inclusion within ZIP archives of symbolic links pointing to arbitrary locations, including automount endpoints. The issue, however, is that the software responsible for decompressing the ZIP files does not perform any check on the symlinks.
Thus, an attack can create a ZIP file containing a symbolic link to an automount endpoint they control and send the archive to the victim. Once the victim downloads the file and follows the symlink, they are taken to a loc ..
Support the originator by clicking the read the rest link below.
