Since the introduction of the Apple Gatekeeper by MAC OSX, many researchers have focused their attention in trying to find flaws affecting it due to bypass Apple security and gain control of a device.
Patrick Wardle, director of research at Synack has already demonstrated another method called Apple dylib hijacking.
Today at Virus Bulletin in Prague, Patrick Wardle will again do another demonstration in how to bypass Gatekeeper, something that he is being working for some time now.
We don’t have many details but Patrick Wardle guaranteed that he shared his findings with Apple and the company is working on a patch to fix the issue.
The method that Patrick Wardle will demonstrate can require some ” re-architecting” of the OS, in order to fully exploit the Apple Gatekeeper.
As you probably know, Apple Gatekeeper runs a number of checks before allowing a App to run, in fact you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.
What Patrick Wardle says is that the Apple Gatekeeper is falling to check if the app is running or loading other apps, or libraries. If you are able to convince the user into downloading a signed, but infected app from a third-party source, you could load a malicious library into a directory over an insecure HTTP download.
In the tests that Wardle did, he used signed Apple binaries and crafted them for his attack, in order to look like a DMG file, and tricking the user into downloading it. For the user all will look normal since it will look like a traditional app icon, but when executed, the DMG file will search for a malicious executable and run it.
“It’s not super complicated, but it effectively completely bypasses Gatekeeper,” This provides hackers the ability to go back to their old tricks of infecting users via Trojans, rogue AV scams or infect applications on Pirate Bay. More worrisome to me is this would allow more sophisticated adversaries to have network access. Nation states with higher level access, they see insecure downloads, they can swap in this legitimate Apple binary and this malicious binary as well and man-in-the-middle the attack and Gatekeeper won’t protect users from it anymore.” Said Wardle,
Regarding OS versions affected by the Apple GateKeeper Bypass, Wardle believes that all versions, including the new El Capitan are affected, and he run his tests in an El Capitan beta version.
“In my opinion, Gatekeeper is a good idea. Apple touts it as one of the cornerstones of their security posture as why Macs are more secure. But the reality is that sure Gatekeeper can protect naïve users from lame attackers, but sophisticated adversaries, I don’t think Gatekeeper is a stumbling block at all,” .“It’s not really a bug, but a limitation of Gatekeeper. I think fixing this requires significant code changes. It’s not like they can just patch a buffer overflow with an extra check. This will take some significant changes.”
“If the application or dynamic library is from the Internet, let’s check to see if it conforms to the users’ settings, make sure it’s signed or from the App Store. We could do that, and that would generically stop an attack,” Wardle said. “When the Apple trusted executable launches the second executable that is unsigned and untrusted, their runtime hook would detect that. They already have a framework in place where they’re hooking runtime executions and examining things; I think they could extend it further to validate that.”
We can only wait and see what Apple will do with this, since the problem is related with the Apple Gatekeeper core, the way it was design, so does that mean that Apple will redesigned Gatekeeper? Time will tell.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Apple Gatekeeper, hacking)