Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MacOS Mojave Security Issues

22 views

Published on

No description

Published in: Technology
  • Be the first to comment

  • Be the first to like this

MacOS Mojave Security Issues

  1. 1. Mojave Security Flaws Or their issues
  2. 2. >Whoami Vitaliy Mechytashvili. Malware Analyst with Under Defense LLC vim@underdefense.com https://twitter.com/myautd https://t.me/myautd 2
  3. 3. Agenda MacOS 10.14 have done a lot of security improvements but there are few secrets you have to know, like Gatekeeper bypass, installation sources bypass and many other tricks to infect your MacOS 3
  4. 4. Security Features ● Mojave security updates. ● Gatekeeper ● App Store ● Safari Extensions ● Trusted installation source ● CVE’s 4
  5. 5. MacOS Mojave Security Updates Release Date: 24 September 2018. ● Control of Your privacy: ○ Requires approval before application access to your camera or microphone ○ Also requires approval before access to application with personal data, like Mail, Contacts, etc ● Safari improvements: ○ Enhanced Tracking Prevention ○ Built-in password manager ○ Extensions can be installed only from trusted store 5
  6. 6. Control of privacy This update really protects users from potentially privacy disclosure. For real, this is only security thing in MacOS that is working properly. What for real your privacy costs for Apple? 6
  7. 7. Authorization bypass Authorization.h сomment and trampolineClient.cpp code, both source codes available on opensource.apple.com 7
  8. 8. ● Apps are “quarantined” when downloaded ● Gatekeeper checks signature only for quarantined apps ● After app is opened - quarantine flag is removed ● Code signature is never checked again 8 Code signing flow
  9. 9. 9 Gatekeeper bypass ● Applications downloaded with curl are never quarantined ● Whenever checksum of application is changed, it still isn’t quarantined ● Malware can remove quarantine flag using xcode “xattr” command ● Dropper can sign any application with own certificate
  10. 10. Gatekeeper signatures database ● Anyone can get valid developer signature ● Signatures are revoked after user report abuse to Apple ● Signatures updates on user’s endpoints two times per year 10
  11. 11. App Store Trusted mac application store. Or not? “AppStore contains sandbox which is validate application before it appears available for users” How does sandboxing work for real? This is an example of search hijacker, first appeared in Extensions store more than half of year ago. 11
  12. 12. Adware Doctor This is fake “Adware Doctor” which collects user personal data. Top 4 Canada, Top 1 US AppStore in paid applications. Manual dynamic analysis workshop from @DC38032 Community available on YT: https://www.youtube.com/watch?v=B-XELDUtaa8 12
  13. 13. Safari Extensions Store How to contribute to app store: ● You should clearly and accurately disclose what extensions are made available in the app’s marketing text and the extensions may not include marketing, advertising or in-app purchases. ● They may not interfere with System or Safari UI elements and must never include malicious or misleading content or code. ● Apple reviews all extensions and updates to ensure they work reliably. 13
  14. 14. How does the Extensions Store work Search Manager. It manually changes your homepage, new tab and default search manager to yahoo. Works only in targeted countries. Indicators of compromise: ● Disallow change search service and homepage manually through preferences. ● Collecting search terms for advertisements suggestions ● Doesn’t show any search result, only advertisements and promotions. 14
  15. 15. Search Manager LLC UnderDefense15
  16. 16. Search redirecting Using build in browser features “beforeSearch”, “beforeNavigate”. Hijack user search term, replaces search service url to own. 16
  17. 17. Browsing History Each time user opens any url, this extension catches information like web-page title and url. Then it sends this info to its own server 17
  18. 18. Trusted installation source From macOS Mojave (10.14), by default user can install applications and extensions only from AppStore and Extensions Store. ● Extension which is installing on users system should be code-signed. ● Extension can be only installed from safari extensions store ● Extension shouldn’t violate AppStore criterias. 18
  19. 19. Easy to bypass 26 lines of apple-script to install malicious extension on your system: Easy to implement and quite difficult to detect. ● Developer features can be turned off ● Extension can be placed not only in default path 19
  20. 20. Malware Carriers/Droppers Adobe_Flash_Player_Installer_1337.dmg. Go ahead and install everything, you download 20
  21. 21. CVE List According to all times CVE-stats, Mac OS is TOP-4 Vulnerable OS. 21
  22. 22. CVE List According to all-time CVE-stats, Mac OS is TOP-4 Vulnerable OS. Link: https://www.cvedetails.com/top-50-products.php?year=0 22
  23. 23. 0-day exploit prices 23
  24. 24. CVE-2017-7149: Password Exposure Apple Encrypted Volumes hint contains encryption password 24
  25. 25. CVE-2017-7170: Privilege Escalation 0-day discovered by Patrick Wardle (Objective See), Secure authentication boxes stores password in tmpfile() tmpfile() creates random named file in /tmp/ 25
  26. 26. CVE-2017-13872: #iamroot Click “enter” two times to get root In macOS Sierra, you can bypass authentication by changing username to “root” And pressing “Enter” two times LLC UnderDefense26
  27. 27. How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus, which is not doing ML while your disk gets fully encrypted ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 27
  28. 28. How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus is better than nothing ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 28
  29. 29. Thank you! Ukraine Lviv Heroiv UPA 73 k.38, Lviv, 79014 Tel: +38 063 11 357 66 email: help@underdefense.com Poland Wrocław Rzeźnicza str. 28-31, 50-130 Tel: +48 881 300 889 email: help@underdefense.com Malta Birkirkara 170, Pater House, Psaila St, BKR 9077, Tel: +356 2759 5000 email: help@underdefense.com USA New York 375 Park Avenue, Suite 2800, NY Tel: +1 929 999 5101 email: help@underdefense.com 29

×