Ex-NSA Researcher Finds Sneaky Way Past Apple Mac's Gatekeeper

Want to know something odd? Its 2015 and all the top anti-virus products for Mac OS X use insecure lines to transmit their software to Apple Apple machines. Download files, known as .dmg files,for products including Kaspersky, Symantec Symantec, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sentover unencrypted HTTP lines, rather than the more secure HTTPS. There is method in their madness, as they trust Apples Gatekeepersecurity technology to recognise the digital signatures they sign their software with that should guarantee the authenticity of the download.

But a former NSA and NASA staffer Patrick Wardle, who now heads up research at security start-up Synack, believes he has found a new way to abuse such insecure downloads and bypass protections in Apple Macs without getting caught. Normally, anyone who intercepts a download to turn it nasty wont get away with it, as Mac Gatekeeperwill see that the vendors original signature has been altered or taken away entirely, and the software tampered with, meaning its no longer trusted.

Yetthe Gatekeeper software doesnt check all components of Mac OS X download files, according to Wardle. He believes he can sneak a malicious version of whats known as a dylib file into legitimate downloads done over HTTP to infect Macs and start stealing data.These dylibs (short for dynamic libraries) are designed to be re-used by different applications; they might be used for actions such as compressing a file or using native graphics capabilities of the operating system. Theyre supposed to make apps work more efficiently.

If an attacker can hijack the dylib processes used by Mac apps, however, they can carry out nasty attacks and send user data to their own servers, the researcher explained. Such an attack would not be trivial, Wardle admits. First, the attacker would have to get on the same network as a target, either by breaching it or simply logging on to the same public Wi-Fi. They would also have to injecta legitimate yet vulnerable application into the downloadand shuffle around the content of the .dmg so thatthe injected legitimate softwareis shown to the user. The latter is not so tricky:the attacker can set the name and icon of thisvulnerable app so nothing looks suspicious, said Wardle.

Finding vulnerable apps shouldnt be too hard either.Wardle created a scanner that looked for applications that would use his naughty dylibs. He found around 150 on his own machine, including hugely popular software likeMicrosoftWord and Excel,Apples own iCloud Photos and Dropbox. The list also includedApples developer tool XCODE and email encryption key management software GPG Keychain, both of which he abused in his proof of concept attacks. According to a recent article in The Intercept, Snowden files showed researchers were demonstrating how amodified version of XCODEcould be used to siphon off targets passwords and other data. Wardle said it was 100 per cent coincidence that his former employer had also targeted XCODE.

Wardled noted that apps from Apples Mac App Store are not vulnerable.

Apps vulnerable to dylib attacks slide from Patrick Wardle

Despite the barriers to successful exploitation, his techniques have provided him with a novel way to bypass Gatekeepers draconian detection mechanism (its also not too dissimilar from DLL attacks of yore on Windows).It is, he added, a cunning way to bypass Mac OS X Gatekeeper protections and allow hackers to go back to their old tricks.

When the injected legitimateapplication is launched the unsigned malicious dylib is loaded or executed(even if the user sets his machine to accept only all apps from the Mac App Store) before theapps main code. At this point the dylib can do anything. I see it a)kicking off the legitimate application that the user was downloading sonothing seems amiss, and b) installing the implant component which will then complete the rest of the attack, persistently infecting the userscomputer. He noted theattack should also work on downloaded .zip filesthat contain applications.

Mac OS X dylib hijacking attacks slide from Patrick Wardle

See original here:
Ex-NSA Researcher Finds Sneaky Way Past Apple Mac's Gatekeeper