New Apple Gatekeeper bypass can allow running rouge applications

Patrick Wardle, director of research at Synack has already demonstrated another method, called Apple dylib hijacking, to bypass Apple GateKeeper.

Since the introduction of the Apple Gatekeeper by MAC OSX, many researchers have focused their attention in trying to find flaws affecting it due to bypass Apple security and gain control of a device.

Patrick Wardle, director of research at Synack has already demonstrated another method called Apple dylib hijacking.

Today at Virus Bulletin in Prague, Patrick Wardle will again do another demonstration in how to bypass Gatekeeper, something that he is being working for some time now.

We don’t have many details but Patrick Wardle guaranteed that he shared his findings with Apple and the company is working on a patch to fix the issue.

The method that Patrick Wardle will demonstrate can require some ” re-architecting” of the OS, in order to fully exploit the Apple Gatekeeper.

As you probably know, Apple Gatekeeper runs a number of checks before allowing a App to run, in fact you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

What Patrick Wardle says is that the Apple Gatekeeper is falling to check if the app is running or loading other apps, or libraries. If you are able to convince the user into downloading a signed, but infected app from a third-party source, you could load a malicious library into a directory over an insecure HTTP download.

In the tests that Wardle did, he used signed Apple binaries and crafted them for his attack, in order to look like a DMG file, and tricking the user into downloading it. For the user all will look normal since it will look like a traditional app icon, but when executed, the DMG file will search for a malicious executable and run it.

“It’s not super complicated, but it effectively completely bypasses Gatekeeper,” This provides hackers the ability to go back to their old tricks of infecting users via Trojans, rogue AV scams or infect applications on Pirate Bay. More worrisome to me is this would allow more sophisticated adversaries to have network access. Nation states with higher level access, they see insecure downloads, they can swap in this legitimate Apple binary and this malicious binary as well and man-in-the-middle the attack and Gatekeeper won’t protect users from it anymore.” Said Wardle,

Regarding OS versions affected by the Apple GateKeeper Bypass, Wardle believes that all versions, including the new El Capitan are affected, and he run his tests in an El Capitan beta version.

“In my opinion, Gatekeeper is a good idea. Apple touts it as one of the cornerstones of their security posture as why Macs are more secure. But the reality is that sure Gatekeeper can protect naïve users from lame attackers, but sophisticated adversaries, I don’t think Gatekeeper is a stumbling block at all,” .“It’s not really a bug, but a limitation of Gatekeeper. I think fixing this requires significant code changes. It’s not like they can just patch a buffer overflow with an extra check. This will take some significant changes.”

“If the application or dynamic library is from the Internet, let’s check to see if it conforms to the users’ settings, make sure it’s signed or from the App Store. We could do that, and that would generically stop an attack,” Wardle said. “When the Apple trusted executable launches the second executable that is unsigned and untrusted, their runtime hook would detect that. They already have a framework in place where they’re hooking runtime executions and examining things; I think they could extend it further to validate that.”

We can only wait and see what Apple will do with this, since the problem is related with the Apple Gatekeeper core, the way it was design, so does that mean that Apple will redesigned Gatekeeper? Time will tell.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – Apple Gatekeeper, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.