Apple employed a Gatekeeper for its Macs to do one job: keep unsigned, unverified software out. It might be time to fire Gatekeeper, or hire a new one, as its failures have again been shown up by Patrick Wardle, ex-NSA staffer and head of research at bug hunting firm Synack.
In September last year, Wardle took advantage of a flaw in Gatekeeper that allowed unsigned malicious apps to execute. Wardle noticed Gatekeeper only checked the signature of the first application that was executed by the user. If this verified application executed another slice of code, the latter was not checked by Gatekeeper and could pass through unsigned. By uncovering several Apple-signed apps that once executed would look for other files to launch, he could complete the attack. In his proof of concept, he packaged both the Apple-signed and unsigned, malicious code into one seemingly legitimate download.
The malicious file could do anything an attacker wanted, such as spy on the user, steal passwords or record Skype calls. To fix this, Apple simply blacklisted the files Wardle abused. This wasn’t effective at preventing attacks. Wardle could simply find other Apple-signed code that let him do the same, which he duly did. “It took me two minutes to get round their patch,” said Wardle.
In his proof of concept, he included the malicious files in what appeared to be a legitimate download of Kaspersky Anti-Virus. As the software doesn’t use encrypted lines when downloaded, and therefore fails to properly verify where it came from, an attacker could sit on the same network as a target, such as on a public Wi-Fi network, and then deliver a fake Kaspersky update with the malicious files.
Wardle is presenting his findings at the Shmoocon conference today in Washington D.C. He is releasing a tool, Ostiarius, on his Objective-C website that will help fill the gap Apple left open by checking all file executions and blocks unisigned code originating from the Web.
Wardle said Apple had done some more blacklisting, but he would look for more, possibly live on stage, to highlight the persistent weakness.
Apple had not responded to a request for comment at the time of publication.
Hiding data in Apples
Also at Shmoocon, researcher Josh Pitts will talk about his Apple-related findings, in particular a way to append data to already-installed Mach-O files on Mac OS X and iOS to hide it from any prying eyes, such as police forensics units. Pitts found that if data was added to the end of an executable sitting on a Mac or an iPhone, anyone using what Apple calls “no-strict” checking for unverified data would not see anything amiss. Only by using the “strict” checking feature in Apple’s operating systems will an investigator see the file had been altered.
Strict checks look for signatures across the entire file format, the equivalent of a Gatekeeper check. No-strict only checks what is to be loaded in memory.
The problem is that even professional forensics tools often only use no-strict, he said. Pitts even found one of Wardle’s tools designed to uncover malicious files - KnockKnock - was using no-strict. “The forensics community is doing it all wrong,” Pitts added.
Pitts suggested hackers could abuse this to hide data stolen by their malware. It might be even more useful to those targeting iPhones as strict checks are not available on iOS, Pitts added.
Thanks to Pitts’ note to Wardle, KnockKnock now does strict checking. He also alerted Facebook that its osquery tool could be updated to support strict checks. And Pitts is to release a tool on Github that will update forensics software so it carries out strict checks.
A combination of Pitts' techniques and Wardle's Gatekeeper bypass would make for an especially stealthy attack. Lucky for Apple they're whitehat hackers.
