Monday, July 1, 2019

AutoFS and Gatekeeper, ZeroDay for attackers

This blog is review of the zeroday disclosed by Filippo Cavallarin (or just for the sake of my own understanding). The zeroday was disclosed on May 24 and then on 24th June Intego released blog, describing malware using the zero day.

So lets see, what happened.

According to the post shared by Filippo Cavallarin, he already has shared the zeroday with Apple, but was not fixed in time, so he published it, publicly. Then Intego found the malware with the similar activity, here are the hashes:




Before analyzing the files, first we will discuss what the zero day is.
The flaw is in Gatekeeper, which is responsible for blocking execution of unknown or unsigned files, unless user provides proper credentials, from Internet or untrusted sources. This zero day exploit some the trusted location feature of the Gatekeeper.

Now usually internet is untrusted location for Gatekeeper, so by default it will block execution of any app from the internet. Here a new utility of Mac(or other OS also) called Automounter or autofs plays and important role with zero day. 

With autofs you can easily mount network volumes upon first access to the folder where you want to mount the volume. This mean, if I open an network location which is specified in autofs map, it will be directly mounted.

To explain further, let see the Automounter map file, it located in /etc/auto_master, this is the setting for autofs utility:

# Automounter master map


+auto_master            # Use directory service

/net                    -hosts          -nobrowse,hidefromfinder,nosuid

/home                   auto_home       -nobrowse,hidefromfinder

/Network/Servers        -fstab

/-                      -static

The format of this file is mount-point [map-type[,format]:]map [options].

Notice the line with /net dir. The  -hosts is given as map. If "-hosts" is given as the map then accessing a key under the mount point, which corresponds to a hostname, will allow access to the exports of that host.

What does this means? well consider this example. With an entry in the master map of /net -hosts accessing a network location like an NFS named myNFS, /net/ myNFS will mount exports from myserver on directories below /net/ myNFS. So we don’t have to mount myNFS explicitly.

Now here comes the zero day. Gatekeeper in Mac considers network share as a trusted location (unlike Internet) and thus allow unrestricted execution of app if it is downloaded from a network share.

So now combine the two things and there is your zero day. You can create a symlink pointing to the location starting with /net, the gatekeeper will mark it as trusted and compress it (zip/dmg/tar) and ship it/

Here, in steps:
·      Create a zip file with symlink to the autopoint location, preferably a NFS
·      Create an which you want to run on victim’s PC.
·      Create a publicly accessible NFS and store the app in it
·      Now upload the zipfile to the internet and try some social engineering so tha people can download it.
·      Now when you open the link file, you will be directed to the app stored in NFS

Now we will quickly analyze, the 4 samples that were mentioned in the blog.
·      9356ef24e81ae6c4c38839383156a2a00c3f183a31860b7bc566f92f1f1a3f9c: This is a DMG file, with mount label as AdobeFlashPlayer (there is your social engineering). It contains a single symlink. If we readlink the symlink, it points to /net/
·      cdf9137b9dd78d79532a8f8c2f65917601b87f8f25b68027b139db88c6529145: Also a DMG file with label Test. Again contains symlink which points to /net/
·      f6bf5b8bb2400aad4ac844f2b94a4e556907f35b44c5ff462fb4e70c0208c9de: Similar to 1st one, label is AdobeFlashPlayer and symlink pointing to net/
·      d53ebf9fe70bce05a00fb6dded971f49b070ed8e10beb0e40d48e3495b274a23: Also similar to 1st one, label is AdobeFlashPlayer and symlink pointing to net/

So there is nothing much to analyze, just a lnk file pointing to a automounted location on the internet, which gatekeeper will allow to execute.



Post a Comment