A security researcher says he has discovered a simple method of bypassing the OS X Gatekeeper by using a file already trusted by Apple to attack a Mac computer. Gatekeeper was created by Apple back in 2012 to protect Mac users against malicious threats when installing apps.
Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting. The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software.
“If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says ‘OK, I’m going to let this run,’ and then Gatekeeper essentially exits,” security researcher, Patrick Wardle told Ars. “It doesn’t monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory… Gatekeeper does not examine those files.”
Wardle’s proof of concept uses a widely available binary that’s already signed by Apple. Once that binary has run, it runs a separate app located in the same folder as the original app. Apple has requested that Wardle and Ars withhold the name of the two binaries, and they have agreed to, referring to them only as Binary A and Binary B.
“His exploit works by renaming Binary A but otherwise making no other changes to it. He then packages it inside an Apple disk image. Because the renamed Binary A is a known file signed by Apple, it will immediately be approved by Gatekeeper and be executed by OS X.”
At that point Binary A will look for Binary B located in the same folder, which is the downloaded disk image. Gatekeeper only checks the original file that was clicked on, so the exploit swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants.
Wardle says he privately alerted Apple about his discovery over 60 days ago, and says he believes the Cupertino firm is working on a fix. An Apple Spokesman confirmed to Ars that the company’s developers are working on a plugging the security hole.
Wardle will will present his findings on Thursday at the Virus Bulletin Conference in Prague.