Friday, December 16, 2016

“Untranslocating” an App

Patrick Wardle:

So, now imagine an attacker has found an legitimate signed application that attempts to load or execute some relatively external content (i.e outside it’s app bundle, but within the same download package). In the past, they could use this to bypass Gatekeeper as such external content was not verified. Now however, when the user double-clicks the application to execute it, the OS intercepts this, and will create a read-only DMG image on the fly for the application bundle, and only the application bundle. This translocated copy is then executed. Here in this new location, it will not be able find the unverified external content (as it was not copied over), and thus the attack fails.

[…]

As a security researcher/hacker, I must give a lot of kudos to Apple for (finally) fixing the underlying issue in comprehensive manner. However as developer, f**kkkkk this broke a lot of stuff.

[…]

With this information the translocated application can programmatically both remove the quarantine attribute and then re-execute the original instance of the application (e.g. in ~/Downloads). The net result of this is that the App Translocation is ‘undone’ and the application is transparently executed from its original location on a writeable filesystem.

However, this is not safe for apps that actually use external resources because it undoes the protection that App Translocation provides.

Previously: Gatekeeper Path Randomization.

Update (2016-12-19): Despite finding Wardle’s technique interesting, I should note that I agree with Apple’s recommendation to use signed disk images, which DropDMG can help you create.

Comments RSS · Twitter

Leave a Comment