Researcher Discloses Methods For Bypassing All OS X Security Protections

← Back to Stories (view on slashdot.org)

Researcher Discloses Methods For Bypassing All OS X Security Protections

Posted by samzenpus on Thursday April 23, 2015 @10:30AM from the protect-ya-neck dept.

Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."

29 of 130 comments (clear)

Min score:

Reason:

Sort:

Good enough to criticize the mechanisms by Anonymous Coward · 2015-04-23 10:34 · Score: 5, Insightful

But can we have a demo since it is so trivial?
1. Re:Good enough to criticize the mechanisms by LordLimecat · 2015-04-23 14:21 · Score: 4, Informative
  
  Its done every year at Pwn2Own.
2. Re:Good enough to criticize the mechanisms by Anonymous Coward · 2015-04-23 14:21 · Score: 5, Informative
  
  Not sure how to 'demo' this to you guys - but this is exactly how to do it:
  1) Find a Apple-signed or Mac App store binary the contains an *external relative reference* to a dylib. Apple's Instruments.app works great
  2) Create a .dmg or .zip file that contains Instruments.app as well as the external folders/frameworks with the dylibs that app tries to load - these can be unsigned/malicious
  3) Hide the files/folders, and create a top-level icon/alias to Instruments.app. This icon can be anything (e.g. 'Flash Installer'). This makes the download look believable :)
  4) Get users to download this ('free photoshop!' - see OSX/iWorm for an example of Mac user's being dumb) *or* inject this into internet downloads if you have network-level presence. Tons of OS X software is distributed over HTTP :/
  5) Even if the user has Gatekeeper set to 'only allow code from the Mac App Store' when the user runs the download the unsigned dylibs will be loaded and execute. In other words, Gatekeeper fails to do what it was designed to do - prevent MiTM attacks/user's from running unsigned code.
  more technical details here [PDF]: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
3. Re:Good enough to criticize the mechanisms by MachineShedFred · 2015-04-23 14:51 · Score: 3, Interesting
  
  Yeah, my thoughts exactly. And, by the way, how is it a problem with the OS if a signed app has a vulnerability you are exploiting? That sounds like a problem with the app to me.
  "Oh, I can own OS X - I just need to convince Microsoft Outlook to run arbitrary code with privilege elevation!"
  *Yawn*
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
4. Re:Good enough to criticize the mechanisms by Richard_at_work · 2015-04-23 19:21 · Score: 2
  
  Its a problem because the OS isn't checking the entirety of the app for correct signatures, just part of it. Which kinda removes the point of checking at all.
5. Re:Good enough to criticize the mechanisms by AmiMoJo · 2015-04-23 19:49 · Score: 2
  
  The OS is supposed to sandbox apps so that if they do get 0wned the damage is limited and the rest of the OS and apps are not compromised. Apple has attempted to do that on OS X, but clearly it hasn't worked as well as they were hoping. Even if an app get compromised that isn't supposed to let the code take full control of the OS.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
6. Re:Good enough to criticize the mechanisms by azav · 2015-04-24 00:27 · Score: 2
  
  It's, son, it's.
  
  --
  - Zav - Imagine a Beowulf cluster of insensitive clods...
7. Re:Good enough to criticize the mechanisms by jythie · 2015-04-24 00:57 · Score: 2
  
  In this case not really. All he is describing is the first in a chain of requirements, the next one being finding a signed application that can be exploited. Probably doable, but a different (and somewhat duller) problem.
8. Re:Good enough to criticize the mechanisms by jythie · 2015-04-24 01:07 · Score: 2
  
  sandboxing always involves a trade off. Apps do not have full root capabilities, but a compromised app can still do damage within its range, which unfortunately is the range of what people want apps to be doing.
9. Re:Good enough to criticize the mechanisms by macs4all · 2015-04-24 03:21 · Score: 3, Informative
  
  4) Get users to download this ('free photoshop!' - see OSX/iWorm for an example of Mac user's being dumb) *or* inject this into internet downloads if you have network-level presence. Tons of OS X software is distributed over HTTP :/
  so, again, like every other OS X exploit, this depends solely on Social Networking to propagate.
  
  So, IOW, after about 100 or so Macs worldwide get infected, whatever package was responsible for spreading malware via this method would be added to Apple's malware list, be pushed out automatically to all users of OS X, and, like those infrequent times before, that would be that...
  
  Then, Apple simply adds checking of DyLibs and other add-ons to OS X, and closes this hokey forever. Problem solved!
  
  So, thanks to the black hat who brought this exploit to Apple's attention; so that they can take care of it.
10. Re:Good enough to criticize the mechanisms by macs4all · 2015-04-24 03:30 · Score: 2
  
  No apostrophe on a plural, Sparky.
  In fact, there is.
  
  In the plural form of the possessive, the apostrophe comes AFTER the pluralization; e.g., "users' ".
root = same process by jbolden · 2015-04-23 10:46 · Score: 5, Informative

And using the same logic I can get root on any Unix box.
1) Find an application that has root
2) Get it to load external content
3) The new content bypasses all the protections on the box.
Gatekeeper prevents downloaded applications that are untrusted from accidentally being run. It doesn't prevent trusted applications from doing anything.
1. Re:root = same process by SuperBanana · 2015-04-23 10:56 · Score: 4, Insightful
  
  Gatekeeper also isn't "all MacOS X security". There's separate malware detection, and in order to do much of anything the user has to enter their computer account password.
  It's a minor part of OS X security, mostly designed to keep casual users from installing stuff outside the apple store.
  
  --
  Please help metamoderate.
2. Re:root = same process by dottrap · 2015-04-23 11:07 · Score: 4, Informative
  
  Gatekeeper prevents downloaded applications that are untrusted from accidentally being run. It doesn't prevent trusted applications from doing anything.
  Exactly. Mod parent up.
  And this is a *good* thing.
  Apple has a separate sandboxing and entitlements system for more security. Apple makes apps distributed on the Mac App Store enable sandboxing. But for those apps (usually tools) that can't work within the limitations of the sandbox, developers can still ship outside the Mac App Store and do whatever they want. Code signing for GateKeeper is merely a trust checkbox that it is unlikely the vendor is doing anything really malicious or Apple would revoke their certificate and possibly pursue legal/criminal action for really nefarious activities since Apple gets a paper trail to hunt you down with as part of the process of getting a key to sign with.
  If everything was locked down in the name of security, we would be denied all sorts of useful things.
3. Re:root = same process by tlambert · 2015-04-23 13:43 · Score: 5, Informative
  
  Gatekeeper also isn't "all MacOS X security". There's separate malware detection, and in order to do much of anything the user has to enter their computer account password.
  It's a minor part of OS X security, mostly designed to keep casual users from installing stuff outside the apple store.
  Yes.
  There's also Mandatory Access Controls (MAC Framework) in the kernel itself, and there's BSM secure auditing in the kernel itself, and there's discretionary access controls, such as standard UNIX permissions, and there's POSIX.1e draft (it was never ratified as a standard) ACLs, and then there's whatever malware detection or antivirus protection you've jammed into the kernel as a MAC module via a KEXT, and in the absence of any access controls whatsoever, it's default deny, and then there's code signing, and encrypted pages within executables.
  They didn't bypass any of that, and they wouldn't really be able to, even if they were root, because you can't get the Mac port for the kernel virtual address space without jumping through a massive number of hoops (which is why jailbreaking phones is non-trivial, and everyone uses script kiddy tools to do it, instead of jailbreaking from scratch).
  And yeah, it's pretty stupid that Gatekeeper or anything else would be running as root and thus be exploitable with the escalated privilege available at install time, since it'd be pretty easy to just have it run as a role-based account, and have the kernel's cooperation, after cryptographic verification of the developer keys at the kernel level. But that doesn't let you bypass "All OS X Security": getting root doesn't really get you nearly 1/10th of the security bypassed (less, if you've installed third party anti-malware KEXTs that refuse to be unloaded except in single user mode during boot as part of an uninstall script, and are therefore always active).
  They clearly do not understand the concept of "security in depth".
Worse than the summary by Sowelu · 2015-04-23 10:49 · Score: 5, Insightful

The summary made it sound like "wow, if a program runs arbitrary code, then arbitrary code might run" which is kind of...tautological. But the article has other goodies, like "the security check to keep dangerous code out of the kernel...runs with user permissions", and "code signing only rejects an app if it has an untrusted signature, but lets it through if it has no signature".
1. Re:Worse than the summary by gwolf · 2015-04-23 11:01 · Score: 3
  
  Ugh, quick, messy fingers. I wanted to mod this "Insightful". Clicked on "redundant".
  So, posting to undo my bad deed. I could just comment "yeah, you're right" and be less publicly embarassed... But I deserve the shame :-P
Re:Clickbait by CauseBy · 2015-04-23 11:14 · Score: 3, Insightful

Yeah it really is stupid. Is he saying "If you let me run malicious code on your computer, then I can run malicious code on your computer"? That's what it sounds like to me.
As far as I've ever heard, it is theoretically impossible to stop that kind of attack. If a user runs your code, then yeah, duh, your code can do whatever. I don't think that counts as a security vulterability.
Re:Seems to not understand how it works by Em+Adespoton · 2015-04-23 11:21 · Score: 4, Informative

The clueless meter went off the charts for me at "by the addition of new security features such as Gatekeeper and XProtect to OS X recently" -- XProtect has been around since mid-10.6, and Gatekeeper is just a wrapper around XProtect.
The actual Synack presentation is better (I saw the precursor at CSW): "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," is the real security flaw here. CSW had a good presentation on how to do this leveraging dylibs. With a simple exploit dropping a crafted dylib, you can run any code you can force the user to download via drive-by as root. And it's persistent, without adding a bunch of extra junk to the target system.
That said, this method still relies on working exploits (or more often, patched torrents of popular software). The skill level to pull off the entire attack chain is fairly high too -- you're going to see governments and organized crime using these techniques, not your average bot herder.
Re:Clickbait by peragrin · 2015-04-23 11:23 · Score: 3, Insightful

Not quite it is more if you have a good approved app and If that app has a security flaw, you can use that flaw to hijack the OS.
Still it seems stupid. It is like saying you have permission to run scripts you can run a malicious script.

--
i thought once I was found, but it was only a dream.
Re:Clickbait by arglebargle_xiv · 2015-04-23 11:29 · Score: 4, Funny

It does sound and awful lot like the notorious MS07-052: Code execution results in code execution
.
Is it trivial to have an app with extra baggage? by Wild_dog! · 2015-04-23 13:25 · Score: 2

Seems like placing an application in the app store that has this "Extra Content" might be a bit problematic.
Perhaps not, but has there been any apps from the Mac App store with extra code to side load a program onto a Mac?
Hi I'm Patrick by Anonymous Coward · 2015-04-23 14:10 · Score: 5, Informative

Aloha - hopefully this provides some more context and technical insight into my 'claims.' I'm honestly not trying to overhype everything and feel I have a decent understanding how computers/malware/exploits work -thanks to my time at the NSA ;). My goal is simply to show that Apple's built-in security mechanisms are trivial to bypass by malware/local attackers.
1) So yes, Gatekeeper is designed to only allow downloaded code to execute if its signed, or from the Mac App Store. This prevents a lot of attacks, such as user's infecting themselves with trojans, or downloads that have been modified in transit (e.g. by a remote attacker w/ some network level access). The technique I described (full technical details here: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf), allows anybody to inject unsigned code into internet downloads. Then, even if the user has set Gatekeeper to only allow code from the Mac App Store, the unsigned code is allowed to run. Since most (e.g. all OS X AV security products and about 2/3 of the apps in my dock) OS X software is distributed via HTTP and/or user's are dumb and download all sorts of shady code - IMHO, this bypass is a problem. Yes, I understand the user still has to run the code - my point is that we can completely bypass Gatekeeper.
2) In OS X, kernel extensions must be signed. The techniques I described are known (see: https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/), but allow any unsigned kernel extension to be loaded, even on Yosemite.
3) I also showed the Apple blotched the rootpipe patch, meaning any local user can priv-esc to get r00t, even on fully patched OS X 10.10.3 or 10.10.4 beta (video of poc: https://vimeo.com/125345793).
4) XProtect (Apple's built in AV product) is signature-based, thus can be trivial bypassed. Yes this is obvious.
1. Re:Hi I'm Patrick by GrahamCox · 2015-04-23 14:46 · Score: 2
  
  allows anybody to inject unsigned code into internet downloads. Then, even if the user has set Gatekeeper to only allow code from the Mac App Store, the unsigned code is allowed to run
  
  Wrong. Anyone can inject code into any data stream trivially. It's getting it to run that's the tricky part. How exactly are you going to do that? If the code that's performing the download is in on the plot, then fine, but a) you would have to get that code past the App Store review, and b) you would have to expect Apple to revoke your signature with maximum prejudice the moment you were caught, and c) you would still have to work around the sandboxing all App Store apps require to do anything truly nasty. Getting an innocent app to run the injected code is another option, but that's back to requiring some other known exploit, such as a buffer overrun.
  
  The short answer is: injecting the code isn't the problem, getting it to run undetected is.
2. Re:Hi I'm Patrick by Anonymous Coward · 2015-04-23 15:30 · Score: 4, Informative
  
  The injection attack scenario I envision is where an remote attacker (with network level presence) can inject code into user's legitimate downloads. Like when I go download Wireshark, MS Word, Adium, or most OS X security product (all over HTTP) - attacker MiTM's this. The key point here is that the user is going to run what they download (which is now infected). The main point is, Gatekeeper is designed to and should block such modifications/injections - that is to say (Gatekeeper) shouldn't allow infected downloads w/ unsigned code to run. That's all i'm claiming - Gatekeeper's checks can be bypassed. Also i specified 'internet downloads' since this doesn't impact content downloaded directly from the Mac App Store (this is separately verified).
3. Re:Hi I'm Patrick by benjymouse · 2015-04-23 17:41 · Score: 2
  
  1) Are you saying that the signature does not cover the entire download, and that an attacker could supplement or exchange content of the download without invalidating the signature, and have the injected code execute when the user starts the app?
  2) Sounds bad.
  3) Sounds bad
  4) That a signature-based AV engine is only effective when attacks have been reported, analysed and a has been signature developed is bloody obvious. All an AV engines is good for is herd immunity. Which is sorta ok, except that they are peddled as the most important security product *you* can use. Some AV engines more advanced than XProtect use heuristics (or se they claim) but I have to admit that I am *really* sceptical about the claims of the effectiveness.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
4. Re:Hi I'm Patrick by Anonymous Coward · 2015-04-23 18:03 · Score: 5, Informative
  
  1) Yes - exactly :) The .dmg or .zip isn't wholly signed. When the user clicks the application, only it's signature is verified (so we can't modify it/it's bundle in anyway). However, if the application attempts to load external relative content, such as dylibs (outside it's bundle, but still on the .dmg), *that* content is not verified. So an attacker can inject a legit/vulnerable app + external .dylibs into any insecure (HTTP) internet download - or host such a malicious .dmg/.zip. Of course, we'll make the .dmg/.zip look totally legit, since we can hide files/folders, set a top-level alias/icon/background etc.
  
  2) Agreed
  
  3) Agreed
  
  4) Agreed - I wrote a simple p.o.c. malware that generically bypassed all (popular) 3rd-party OS X security tools (AV, Firewall tools, etc) - even though it did common malware 'things' like persist, exfil data, download/execute commands. Your skepticism of their claims/effectiveness seem right on :/
Re: Clickbait by arglebargle_xiv · 2015-04-23 15:54 · Score: 3, Interesting

Allowing unsigned code into the app bundle changes the app bundle and makes the signature invalid. That's how signatures work. The idea here is that a legitimately signed and installed app can then execute code outside the app bundle which will run without additional controls in place.
It depends. If you can add metadata to the bundle without it being detected (a problem that has cropped up with Linux repositories several times) then this is a genuine vuln. If OTOH it's something like "If you install a Python interpreter then you can use that to run arbitrary code that isn't validated by Gatekeeper" then it's a "Code execution results in code execution" issue. In the great tradition of journalists everywhere, the ThreatPost article never provided any links to any original material, so all we have is the writer's interpretation of what's actually going on,
Assuming the previous reply was by the guy who gave the talk, is it online anywhere?
Re:Clickbait by jythie · 2015-04-24 01:09 · Score: 2

Yeah, it is only a little better then 'if I have physical access I can change things, so the machine is insecure!'