MAC OS X users (including Mojave), your GateKeeper may allow an application located on an external drive or network share to run without checking it! And there is no solution yet. How is this possible? Because GateKeeper considers external drives and NFS shares to be secure locations.
The principle behind this workaround is based on two entirely legitimate features:
- Zip archives may contain symbolic links (or symlinks) pointing to arbitrary locations (including automatic mount points) that the decompression software does not check.
- The automount (or autofs) feature allows a user to automatically mount a network share whose URL begins with /net/.
This bypass can therefore be achieved via a zip archive (delivered on a USB drive or sent by email) containing a symbolic link to an application controlled by the attacker.
- The future victim only has to open the zip file and launch the symbolic link.
- During decompression, the symlink is not checked and GateKeeper considers the destination location to be safe.
- Once the target has been compromised, the attacker can act with complete discretion.
The fact that Finder does not display the full path of the symbolic link and hides extensions makes this technique very effective and difficult to detect.
To date, Apple is aware of this workaround and no solution has yet been provided.
This vulnerability once again draws our attention to the level of perimeter security at our endpoints. Should actions when inserting devices be more restrictive? Could a kind of internal system sandbox provide better prevention? These questions remain open.
Read more on this topic in this article on Generation-NT.com: https://www.generation-nt.com/macos-faille-securite-gatekeeper-actualite-1965327.html
