Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

macOS Gatekeeper Bypass Exploits Trust on Network Shares

Bypassing macOS’ Gatekeeper by leveraging trust in network shares is a trivial operation, a security researcher has discovered. 

Bypassing macOS’ Gatekeeper by leveraging trust in network shares is a trivial operation, a security researcher has discovered. 

Included in macOS since 2012, the Gatekeeper security protection attempts to prevent malware from running on a Mac by enforcing code signing and verifying downloaded applications before execution.

According to security researchers Filippo Cavallarin, however, one can easily bypass Gatekeeper and execute untrusted code on a system, all without any warning being displayed to the user or their explicit permission being required. 

The issue, the researcher explains, is that Gatekeeper was designed to consider both external drives and network shares as safe locations. Because of that, it will allow any application in these locations to run without asking for the user’s consent.

In order to abuse this design for malicious purposes, an attacker would need to leverage two legitimate features in macOS, namely automount (aka autofs) and the lack of specific checks in the software responsible for decompressing archives. 

The first feature was designed to allow users to automatically mount a network share by accessing a “special” path. Any path beginning with “/net/” (such as /net/evil-attacker.com/sharedfolder/) can be used for the bypass, the researcher says

The second feature allows the inclusion within ZIP archives of symbolic links pointing to arbitrary locations, including automount endpoints. The issue, however, is that the software responsible for decompressing the ZIP files does not perform any check on the symlinks.

Thus, an attack can create a ZIP file containing a symbolic link to an automount endpoint they control and send the archive to the victim. Once the victim downloads the file and follows the symlink, they are taken to a location controlled by the attacker but also trusted by Gatekeeper. 

“So any attacker-controlled executable can be run without any warning. The way Finder is designed (ex. hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot,” Cavallarin notes. 

The security researcher has published a video (below) to illustrate how the attack works, as well as proof-of-concept code. 

A workaround to this attack is to disable automount, which can be done by editing /etc/auto_master as root, commenting the line beginning with ‘/net’ and rebooting the machine.

Cavallarin says he contacted Apple on February 22, 2019. The company was supposed to address the security bug on May 15, 2019. 

“Since Apple is aware of my 90 days disclosure deadline, I make this information public,” the researcher wrote. 

Related: macOS Vulnerability Leaks Safari Data

Related: Code Signing Flaw Affects all Mac OS Versions Since 2005

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...