Critical OS X flaw could be exploited to steal data from Keychain

Security researchers at MalwareBytes have discovered a new variant of an adware installer that is leveraging an old trick to access the Keychain on MAC OS X

In July, researchers at Malwarebytes have identified a local privilege escalation (LPE) vulnerability in the Mac OS X operating system. The experts discovered that the flaw in OS X was exploited in the wild by an installer for the Genieo and VSearch adware.

The crooks also installed MacKeeper and directed victims to the Apple App Store page of a file downloader dubbed Download Shuttle.

Despite Apple fixed the flaw on August 13 with the release of OS X Yosemite 10.10.5, a new version of the installer was discovered once again by experts at Malwarebytes reported seeing a new version of the previously analyzed installer. This time the new installer asks users to enter their admin password, after which it performs exactly the same operation of the first variant.

The researchers also another singular trick implemented by the installer, once executed it throws an installer request that asks for permission to access the user’s OS X keychain.

The principal problem related to this hack is the access to the Mac OS X Keychain which is the password management system that is used to store sensitive information and user credentials.

The experts highlighted that the adware could be improved to access users’ iCloud passwords and any other information stored in the keychain.

The identity management company MyKi also disclosed a method to hack the Keychain, its researchers also developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS.

CSOonline published an interesting post on the topic, in particular, it reported further details on the attack provided by the researchers from the MyKi company.

A reader asked if this affected iOS as well as OSX. Jebara, one of the researchers confirmed that in the case the user opted for the iCloud Keychain, “then all passwords saved on the iOS device will also be extracted by the exploit. But the exploit will only execute on a OSX device meaning that it can only be run from a Mac.”

As for attack vectors, Jebara said that the following come to mind:

• Direct Attack: Attacker that knows victim sends malicious file via email or something similar
• P2P Attack: Attacker embeds payload in torrent file and distributes it
• Website Post: Share on social media disguised as an intriguing article

Relatively elaborate potential vectors:

• Intercept user download from website X via MITM, append payload to download and redirect download to user.
• Get a low privilege shell on user computer (root privilege not needed) and execute payload.

 Pierluigi Paganini

(Security Affairs – KeyChain, Mac OS X)