Monday, May 27, 2019

Gatekeeper Symlink/Automount Bypass

Filippo Cavallarin (Hacker News):

To better understand how this exploit works, let’s consider the following scenario: An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/ and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.

Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.


The vendor has been contacted on February 22th 2019 and it’s aware of this issue. This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public.

Howard Oakley:

These checks are in any case only performed when an app is run via LaunchServices, i.e. the Finder. So a user shouldn’t be able to run an app with a broken signature from a new location using the Finder, but they can run an app with no signature at all, and any malicious script or process can execute code from an app with a broken signature without any signature checks being performed, unless it’s kind enough to ask for them.


Comments RSS · Twitter

Leave a Comment