Chaining 3 zero-days allowed pen testers to hack Apple macOS computers

Dropbox team disclosed three critical zero-day vulnerabilities in Apple macOS, chaining them it is possible to take over a Mac computer.

Dropbox team disclosed three critical zero-day vulnerabilities (CVE-2017-13890, CVE-2018-4176, CVE-2018-4175) affecting the Apple macOS operating system, an attacker could chain them to remotely execute arbitrary code on a targeted Mac computer.

The attacker only needs to trick victims into visiting a specially crafted website.

The vulnerabilities were discovered by experts at cybersecurity firm Syndis that was hired by Dropbox to carry out a penetration test on the company’s IT infrastructure,

The experts also assessed the Apple software used by Dropbox

The flaws were reported to Apple security team in February and Apple quickly addressed it with the release of March security updates.

The vulnerabilities affected all systems running the latest version of the Safari web browser and operating system.

The CVE-2017-13890 vulnerability was affecting the CoreTypes component of macOS, by processing a maliciously crafted webpage may result in the automatic mounting of a disk image.

The CVE-2018-4176 flaw tied the way Disk Images handled .bundle files, mounting a malicious disk image may result in the launching of an application.

The last vulnerability tracked as CVE-2018-4175 could be exploited to bypass the macOS Gatekeeper security feature using a maliciously crafted application.

The issue allowed to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.

The experts were able to chain the vulnerabilities to take over a Mac system by tricking a victim into visiting a malicious web page with Safari.

“Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.” reads a blog post published by DropBox.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.

Below a video PoC published by DropBox:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – macOS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]