An unpatched macOS vulnerability lets malware completely bypass Gatekeeper security

An unpatched vulnerability in macOS Mojave permits attackers to completely bypass the Gatekeeper security feature. Apple was first informed about the flaw on February 22, but last week’s macOS 10.14.5 update hasn’t fixed the vulnerability even though it was supposed to.

Gatekeeper is a security feature of macOS that enforces code signing and verifies downloaded apps before you open them, which reduces the likelihood of inadvertently executing malware.

According to security researcher Filippo Cavallarin who discovered and reported this security oversight in macOS to Apple, via AppleInsider, a rogue app would exploit the fact that Gatekeeper considers both external drives and network shares as “safe locations.” As a result, any app executed from these locations will run without Gatekeeper’s intervention.

Here’s a video showing proof-of-concept in action.

By combining this Gatekeeper design with a pair of legitimate features in macOS, a rogue party could completely alter the intended behavior of Gatekeeper, the researcher cautioned.

Okay, what are the two legit features?

The first legit feature is automount (also known as autofs) that lets you automatically mount a network share by accessing a special path—in this case, any path beginning with ‘/net/’. The second legit feature is that ZIP archives can contain symbolic links pointing to an arbitrary location (including ‘automount’ endpoints) and that macOS’s unarchiver doesn’t perform any check on the symlinks before creating them.

How about some illustrative example of how this exploit actually works?

Let’s consider the following scenario: an attacker crafts a ZIP file containing a symbolic link to an automount endpoint they control (for example, Documents -> /net/evil.com/Documents) and sends it to the victim. The victim downloads the malicious archive, extracts it and follows the symlink.

This is terrible, most people can’t distinguish symlinks from real files.

Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can run without any warning. The way the Finder is designed to hide app extensions and the full file path in window titlebars makes this technique very effective and hard to spot.

Cavallarin says Apple stopped responding to his emails after being alerted of the issue on February 22, 2019. “Since Apple is aware of my 90 days disclosure deadline, I make this information public,” he wrote on his blog.

No fix is available as of yet.

Apple will almost certainly fpatchx this flaw in the next update. Until then, a possible workaround is to disable the “automount” feature according to the instructions provided at the bottom of Cavallarin’s blog post.

Have you been affected by this vulnerability?

If so, we’d like to hear your thoughts in the comments!