Gatekeeper bug in MacOS Mojave allows malware to execute

Summary 

Researcher recently uncover bug in the macOS security feature Gatekeeper that allows malicious code execution on systems running the most recent version of Mojave (10.14.0) release. Included in macOS since 2012, the Gatekeeper security protection attempts to prevent malware from running on a Mac by enforcing code signing and verifying downloaded applications before execution. 

 

Analysis 

• The flaw is tied to support on external drives and network shares of Apple Gatekeeper. Both are viewed as safe locations that allow any applications contained in them to run, this is typically a spot that allow any application to run without asking for the user’s consent. 
• In order to abuse this design for malicious purposes, an attacker would need to leverage two legitimate features in macOS, namely

1. The first feature was designed to allow users to automatically mount a network share by accessing a “special” path. Any path beginning with “/net/” (such as /net/evil-attacker.com/sharedfolder/) can be used for the bypass, the researcher says.  
2. The second feature allows the inclusion within ZIP archives of symbolic links pointing to arbitrary locations, including automount endpoints. The issue, however, is that the software responsible for decompressing the ZIP files does not perform any check on the symlinks.

• The researcher points out that a Zip archive can contain “symbolic links pointing to an arbitrary location (including automount endpoints) and that the software on macOS that is responsible to decompress Zip files do not perform any check on the symlinks before creating them.” Symlinks, also known as Symbolic links, are macOS files that point to (or can be crafted to point to) files or directories in other locations on your system. 

Exploiting automount can be prevented by following these simple steps to disable it. 

1. “Edit /etc/auto_master as root 
2. Comment the line beginning with ‘/net’ 
3. Reboot 

 

Recommendation 

Other tools should be used to supplement Gatekeeper’s functionality. Additionally, system settings can prevent applications from running that haven’t been downloaded through the Apple Store which can help mitigate some of these issues. Monitoring for the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further.  

Malware trojan can be planted via shell access, however there is one security tool available online that has the capability of doing Rootkits, backdoors and Exploits scan called RKhunter there are plenty more available we can be resourceful on how we can utilize the web though.