No description

1. Mojave Security Flaws
Or their issues

2. >Whoami
Vitaliy Mechytashvili.
Malware Analyst with Under Defense LLC
vim@underdefense.com
https://twitter.com/myautd
https://t.me/myautd
2

3. Agenda
MacOS 10.14 have done a lot of security improvements but there are few secrets you
have to know, like Gatekeeper bypass, installation sources bypass and many other
tricks to infect your MacOS
3

4. Security Features
● Mojave security updates.
● Gatekeeper
● App Store
● Safari Extensions
● Trusted installation source
● CVE’s
4

5. MacOS Mojave Security Updates
Release Date: 24 September 2018.
● Control of Your privacy:
○ Requires approval before application access to your camera or microphone
○ Also requires approval before access to application with personal data, like Mail,
Contacts, etc
● Safari improvements:
○ Enhanced Tracking Prevention
○ Built-in password manager
○ Extensions can be installed only from trusted store
5

6. Control of privacy
This update really protects users from potentially privacy disclosure.
For real, this is only security thing in MacOS that is working properly.
What for real your privacy costs for Apple?
6

7. Authorization bypass
Authorization.h сomment and trampolineClient.cpp code, both source codes available on
opensource.apple.com
7

8. ● Apps are “quarantined” when downloaded
● Gatekeeper checks signature only for quarantined apps
● After app is opened - quarantine flag is removed
● Code signature is never checked again
8
Code signing flow

9. 9
Gatekeeper bypass
● Applications downloaded with curl are never quarantined
● Whenever checksum of application is changed, it still isn’t quarantined
● Malware can remove quarantine flag using xcode “xattr” command
● Dropper can sign any application with own certificate

10. Gatekeeper signatures database
● Anyone can get valid developer signature
● Signatures are revoked after user report abuse to Apple
● Signatures updates on user’s endpoints two times per year
10

11. App Store
Trusted mac application store. Or not?
“AppStore contains sandbox which is validate application before it appears available for users”
How does sandboxing work for real?
This is an example of search hijacker, first appeared in
Extensions store more than half of year ago.
11

12. Adware Doctor
This is fake “Adware Doctor” which collects user personal data.
Top 4 Canada, Top 1 US AppStore in paid applications.
Manual dynamic analysis
workshop from @DC38032
Community available on YT:
https://www.youtube.com/watch?v=B-XELDUtaa8 12

13. Safari Extensions Store
How to contribute to app store:
● You should clearly and accurately disclose what extensions are made available in the app’s
marketing text and the extensions may not include marketing, advertising or in-app purchases.
● They may not interfere with System or Safari UI elements and must never include malicious or
misleading content or code.
● Apple reviews all extensions and updates to ensure they work reliably.
13

14. How does the Extensions Store work
Search Manager.
It manually changes your homepage, new tab and default search manager to yahoo.
Works only in targeted countries.
Indicators of compromise:
● Disallow change search service and homepage manually through preferences.
● Collecting search terms for advertisements suggestions
● Doesn’t show any search result, only advertisements and promotions.
14

15. Search Manager
LLC UnderDefense15

16. Search redirecting
Using build in browser features “beforeSearch”, “beforeNavigate”.
Hijack user search term, replaces search service url to own.
16

17. Browsing History
Each time user opens any url, this extension catches information like web-page title and
url. Then it sends this info to its own server
17

18. Trusted installation source
From macOS Mojave (10.14), by default user can install applications and extensions
only from AppStore and Extensions Store.
● Extension which is installing on users system should be code-signed.
● Extension can be only installed from safari extensions store
● Extension shouldn’t violate AppStore criterias.
18

19. Easy to bypass
26 lines of apple-script to install malicious extension on your system:
Easy to implement and quite difficult to detect.
● Developer features can be turned off
● Extension can be placed not only in default path
19

20. Malware Carriers/Droppers
Adobe_Flash_Player_Installer_1337.dmg. Go ahead and install everything, you download
20

21. CVE List
According to all times CVE-stats,
Mac OS is TOP-4 Vulnerable OS.
21

22. CVE List
According to all-time CVE-stats,
Mac OS is TOP-4 Vulnerable OS.
Link: https://www.cvedetails.com/top-50-products.php?year=0
22

23. 0-day exploit prices
23

24. CVE-2017-7149: Password Exposure
Apple Encrypted Volumes hint contains encryption password
24

25. CVE-2017-7170: Privilege Escalation
0-day discovered by Patrick Wardle (Objective See),
Secure authentication boxes stores password in tmpfile()
tmpfile() creates random named file in /tmp/
25

26. CVE-2017-13872: #iamroot
Click “enter” two times to get root
In macOS Sierra, you can bypass authentication by changing username to “root”
And pressing “Enter” two times
LLC UnderDefense26

27. How to protect yourself
● Objective-See (https://objective-see.com)
○ Knock-Knock
○ Block-Block
● Google Santa
● Any antivirus, which is not doing ML while your disk gets fully encrypted
○ BitDefender
○ MacKeeper
○ Malwarebytes
○ Norton
27

28. How to protect yourself
● Objective-See (https://objective-see.com)
○ Knock-Knock
○ Block-Block
● Google Santa
● Any antivirus is better than nothing
○ BitDefender
○ MacKeeper
○ Malwarebytes
○ Norton
28

29. Thank you!
Ukraine
Lviv Heroiv UPA 73 k.38, Lviv, 79014
Tel: +38 063 11 357 66
email: help@underdefense.com
Poland
Wrocław Rzeźnicza str. 28-31, 50-130
Tel: +48 881 300 889
email: help@underdefense.com
Malta
Birkirkara 170, Pater House, Psaila St,
BKR 9077, Tel: +356 2759 5000
email: help@underdefense.com
USA
New York 375 Park Avenue, Suite 2800, NY
Tel: +1 929 999 5101
email: help@underdefense.com
29