Chaining 3 zero-days allowed pen testers to hack Apple macOS computers

Dropbox team disclosed three critical zero-day vulnerabilities in Apple macOS, chaining them it is possible to take over a Mac computer.

Dropbox team disclosed three critical zero-day vulnerabilities (CVE-2017-13890, CVE-2018-4176, CVE-2018-4175) affecting the Apple macOS operating system, an attacker could chain them to remotely execute arbitrary code on a targeted Mac computer.

The attacker only needs to trick victims into visiting a specially crafted website.

The vulnerabilities were discovered by experts at cybersecurity firm Syndis that was hired by Dropbox to carry out a penetration test on the company’s IT infrastructure,

The experts also assessed the Apple software used by Dropbox

The flaws were reported to Apple security team in February and Apple quickly addressed it with the release of March security updates.

The vulnerabilities affected all systems running the latest version of the Safari web browser and operating system.

The CVE-2017-13890 vulnerability was affecting the CoreTypes component of macOS, by processing a maliciously crafted webpage may result in the automatic mounting of a disk image.

The CVE-2018-4176 flaw tied the way Disk Images handled .bundle files, mounting a malicious disk image may result in the launching of an application.

The last vulnerability tracked as CVE-2018-4175 could be exploited to bypass the macOS Gatekeeper security feature using a maliciously crafted application.

The issue allowed to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.

The experts were able to chain the vulnerabilities to take over a Mac system by tricking a victim into visiting a malicious web page with Safari.

“Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.” reads a blog post published by DropBox.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.

Below a video PoC published by DropBox:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – macOS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.