So
lets see, what happened.
According
to the post shared by Filippo Cavallarin, he already has shared the zeroday
with Apple, but was not fixed in time, so he published it, publicly. Then Intego
found the malware with the similar activity, here are the hashes:
9356ef24e81ae6c4c38839383156a2a00c3f183a31860b7bc566f92f1f1a3f9c
cdf9137b9dd78d79532a8f8c2f65917601b87f8f25b68027b139db88c6529145
f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de
d53ebf9fe70bce05a00fb6dded971f49b070ed8e10beb0e40d48e3495b274a23
Before
analyzing the files, first we will discuss what the zero day is.
The
flaw is in Gatekeeper, which is responsible for blocking execution of unknown
or unsigned files, unless user provides proper credentials, from Internet or
untrusted sources. This zero day exploit some the trusted location feature of
the Gatekeeper.
Now
usually internet is untrusted location for Gatekeeper, so by default it will
block execution of any app from the internet. Here a new utility of Mac(or other OS also) called Automounter or autofs plays and important role with zero day.
With
autofs you can easily mount network volumes upon first access to the folder
where you want to mount the volume. This mean, if I open an network location
which is specified in autofs map, it will be directly mounted.
To
explain further, let see the Automounter map file, it located in
/etc/auto_master, this is the setting for autofs utility:
#
# Automounter
master map
#
+auto_master # Use directory service
/net -hosts -nobrowse,hidefromfinder,nosuid
/home auto_home -nobrowse,hidefromfinder
/Network/Servers -fstab
/-
-static
The
format of this file is mount-point [map-type[,format]:]map [options].
Notice
the line with /net dir. The -hosts is
given as map. If "-hosts" is given as the map then accessing a key
under the mount point, which corresponds to a hostname, will allow access to
the exports of that host.
What
does this means? well consider this example. With an entry in the master map of
/net -hosts accessing a network location like an NFS named myNFS, /net/ myNFS
will mount exports from myserver on directories below /net/ myNFS. So we don’t
have to mount myNFS explicitly.
Now
here comes the zero day. Gatekeeper in Mac considers network share as a trusted
location (unlike Internet) and thus allow unrestricted execution of app if it
is downloaded from a network share.
So
now combine the two things and there is your zero day. You can create a symlink
pointing to the location starting with /net, the gatekeeper will mark it as
trusted and compress it (zip/dmg/tar) and ship it/
Here,
in steps:
·
Create a zip file with symlink to the
autopoint location, preferably a NFS
·
Create an which you want to run on
victim’s PC.
·
Create a publicly accessible NFS and
store the app in it
·
Now upload the zipfile to the internet
and try some social engineering so tha people can download it.
·
Now when you open the link file, you
will be directed to the app stored in NFS
Now
we will quickly analyze, the 4 samples that were mentioned in the blog.
·
9356ef24e81ae6c4c38839383156a2a00c3f183a31860b7bc566f92f1f1a3f9c:
This is a DMG file, with mount label as AdobeFlashPlayer (there is your social
engineering). It contains a single Install.app symlink. If we readlink the
symlink, it points to /net/108.168.175.167/dl/Install.app
·
cdf9137b9dd78d79532a8f8c2f65917601b87f8f25b68027b139db88c6529145:
Also a DMG file with label Test. Again contains symlink Install.app which
points to /net/108.168.175.167/dl/Install.app
·
f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de:
Similar to 1st one, label is AdobeFlashPlayer and symlink
Install.app pointing to net/108.168.175.167/dl/Install.app
·
d53ebf9fe70bce05a00fb6dded971f49b070ed8e10beb0e40d48e3495b274a23:
Also similar to 1st one, label is AdobeFlashPlayer and symlink
Install.app pointing to net/108.168.175.167/dl/Install.app
So
there is nothing much to analyze, just a lnk file pointing to a automounted
location on the internet, which gatekeeper will allow to execute.
0 comments:
Post a Comment