Security researcher from the Italian company Segment Cavallarin Filippo (Filippo Cavallarin) have published details of unpatched vulnerabilities in macOS 10.14.5 Mojave and earlier versions, allows execution of arbitrary code without user interaction.
Using the vulnerability, an attacker can bypass the built-in macOS the Gatekeeper security mechanism. This mechanism protects the operating system from running untrusted applications by checking the availability of Apple-issued digital certificate.
As explained by Cavallarin, Gatekeeper, considering external drives and the network as a safe place, along with other legitimate functions of the macOS allows attackers to run untrusted applications without warning the user.
Using automount on macOS and support symbolic links, you can run arbitrary code, and Gatekeeper will not respond. In macOS, the user may automatically connect to network resources by using “autofs”. Symbolic links are files that creates a link to files or folders stored elsewhere, including a network share. Contained in the archives links are not checked, than an attacker can use to force users to click on them to gain access to the remote content.
Presented Cavalleria method of attack is very simple. Working on her concept, the researcher added in the file “Calculator” bash script to run different executable files, in this case iTunes. In addition, Cavallarin modified the icon “Calculator”.
The researcher informed Apple about the vulnerability on February 22 of this year. The company had to release a fix this month, but according to Cavallaria, the vulnerability is still reproduced.
Read more •••