Tuesday, September 26, 2017

Mac Keychain Vulnerability

Patrick Wardle (via Juli Clover):

on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid #smh

other versions of macOS are vulnerable too ☠️😡 Not sure what🍎 is thinking 😭😭😭

Thomas Fox-Brewster:

If turned truly malicious, Wardle’s keychain exploit would likely be the second-stage of an attack, on top of an initial hack that would run rogue code on an Apple machine. He claimed it wasn’t hard to get malicious code running on a Mac today. Indeed, he’s repeatedly shown how to execute attacks on Apple’s operating system in recent years, and earlier this month highlighted problems in macOS High Sierra’s “Secure Kernel Extension Loading” (SKEL) feature, which was designed to require user approval before third-party code ran at the kernel level of the operating system. Wardle showcased an attack on an unpatched and previously-unknown vulnerability (i.e. a “zero-day”) that bypassed SKEL security.

“Most attacks we see today involve social engineering and seem to be successful targeting Mac users,” he added. “I’m not going to say the [keychain] exploit is elegant - but it does the job, doesn’t require root and is 100% successful.”

Roman Loyola:

Apple has released a statement on the issue:

macOS is designed to be secure by default, and Gatekeeper warns users against installing unsigned apps, like the one shown in this proof of concept, and prevents them from launching the app without explicit approval. We encourage users to download software only from trusted sources like the Mac App Store, and to pay careful attention to security dialogs that macOS presents.

This is a rather disingenuous response because Wardle specifically reported that the vulnerability equally affects signed apps.

Update (2017-09-27): Nick Heer:

Users are inundated with dialog boxes and security warnings — surely Apple knows that very few people actually read them. And, again, I stress that this malware could be attached to a totally legitimate signed app. Apple could invalidate the developer’s certificate if something like this were to be discovered in the wild, but that doesn’t mean that the security issue doesn’t exist.

Thomas Reed:

It’s important to understand that the idea that people should wait to install High Sierra because of this bug is a very bad one, for multiple reasons.

Update (2017-10-06): macOS High Sierra 10.13 Supplemental Update:

Impact: A malicious application can extract keychain passwords

Description: A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access.

CVE-2017-7150: Patrick Wardle of Synack

1 Comment RSS · Twitter

Leave a Comment