
macOS X GateKeeper Bypass - raimue
https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypass
======
Someone
_”The second legit feature is that zip archives can contain symbolic links
pointing to an arbitrary location (including automount enpoints) and that the
software on MacOS that is responsable to decompress zip files do not perform
any check on the symlinks before creatig them.”_

Is that truly legit? It’s very similar to having web servers accept URL paths
containing full paths or “../“, both of which have been the cause of many
security vulnerabilities.

~~~
cjcampbell
I don't believe this feature is specific to macOS and the zip format. I'm
reasonably certain it's possible to `tar` a symbolic link in Windows, Linux,
or macOS.

------
silvestrov
I can really not see any reason that NFS automounter should be enabled by
default on a macOS system.

That should be disabled by Apple, if not removed completely.

~~~
ohithereyou
It is also specifically allowed outbound through Little Snitch 4 to the entire
Internet by default which seems very insecure to me.

------
cjcampbell
I may not be entirely right about this, but I believe that Gatekeeper relies
on xattr to mark files as quarantined. This is a feature that I wouldn't
expect to be available when mounting non-Apple filesystems.

If this is the case, a potential solution is to track external mounts and to
prompt a user when accessing a new drive for the first time, especially in the
case that the OS has read or written a new symbolic link pointing to an
external file system.

I agree with other commenters who say that the NFS auto-mounter should likely
default to off on fresh installs. If there is a concern about this breaking
enterprise configurations, set NFS to default into a prompt before mounting
mode.

As far as the issue of symbolic links in zip files, I'm not sure there's much
to be done (except perhaps issuing a warning that would be difficult for most
users to parse). I mentioned elsewhere that this functionality is not unique
to macOS or to zip.

The final issue that I see is that Finder hides so much metadata (which could
be useful for a reasonably sophisticated user). I'd like to see a prominent
indication of a cross-filesystem symbolic link. Likewise, it'd be worthwhile
to have a clear visual indication when browsing a remote file system.

------
smelendez
Why are external drives and NFS shares considered trusted to begin with?

~~~
Someone
Internal drives are, too.

Gatekeeper (in a wider sense) actually is two things:

Firstly, it is a user setting choosing what software to trust: only software
downloaded from the Mac App Store, everything that’s signed, or ‘everything’.

The first two settings require applications to be signed. That doesn’t say
anything about whether they are safe to run, but it does allow Apple to find
out who developed malware, if it is discovered.

Secondly, applications that download executables can opt in on signaling to
Gatekeeper “the first time the user runs this executable, ask for user
confirmation”. They do that by setting an extended file attribute on the
executable. Gatekeeper removes it if the user indicates the executable can be
run.

Neither feature cares from where the executable is launched. External drives
are very common (think USB drives), so they ‘had’ to be included. I would
guess NFS shares slipped through the net, but possibly, there are companies
that use NFS shares.

Of course, that “opt-in” is a weak point. They couldn’t do a lot better
because, when Gatekeeper was introduced, users already had lots of
executables, and they didn’t want users to pick the ‘everything’ option after
being bombarded with Gatekeeper dialogs.

------
judge2020
The author says it works "<= 10.14.5", but no mention of the current beta
available, 10.14.6. I wonder if the beta fixes this.

~~~
saagarjha
FWIW, on macOS Mojave 10.14.6 Beta (18G29g), /etc/auto_master still looks like
this:

    
    
      #
      # Automounter master map
      #
      +auto_master  # Use directory service
      /net   -hosts  -nobrowse,hidefromfinder,nosuid
      /home   auto_home -nobrowse,hidefromfinder
      /Network/Servers -fstab
      /-   -static

------
musicale
I noticed that automounter entry recently and was like "wait, why did I have
this?"

OTOH I might have left it in there to make it easier to mount NFS volumes.

------
hypervis0r
The author disabled resizing (zooming) on mobile, leaving the text unreadable.
Why do people do this at all? I've seen it happen so often.

~~~
knolan
Zooms fine for me on my iPhone 7. Reader mode also works, which is like a
magic fix crappy website button nowadays.

Tangentially, had anyone noticed a weird zooming bug on mobile safari that
appears to cancel a zoom gesture and jump back to the unzoomed view? Quitting
the app from the app switcher appears to fix it.

~~~
clairity
> “Tangentially, had anyone noticed a weird zooming bug on mobile safari that
> appears to cancel a zoom gesture and jump back to the unzoomed view?
> Quitting the app from the app switcher appears to fix it.”

yes, it happens on my ipad pro running ios 12.2 (16E227). have been meaning to
upgrade thinking that would fix it, but maybe that’s not the case?

~~~
lstamour
Happens on my iPad Pro in the latest 12.4 betas, I can only bypass it by
slowing down as I’ve zoomed in, a quick gesture snaps back and is ignored, but
a quick gesture followed by waiting a second seems to preserve the zooming in.
It happens most often on this site, for me, probably because I’m trying to
zoom in to click tiny links, even on an iPad Pro.

~~~
knolan
I had noticed that it appears to happen a lot here on HN but I didn’t want to
say incase of confirmation bias.

------
OldHand2018
This is an interesting bug. But is it a good idea for an attacker to allow for
wide-open NFS mounting of their attack server?

~~~
Karliss
It isn't really a problem. Attacker would probably not run it on their own
computer but some other compromised computers instead. It also doesn't have to
be full NFS server but only the minimal functionality to deliver single file.

------
circa
Someone should inform the KeyMaster

~~~
enraged_camel
Are you the KeyMaster?

------
mosselman
“Since Apple is aware of my 90 days disclosure deadline, I make this
information public.”

Great, so now, potentially, there are lots of people who will lose all of
their baby photos, lose money or even their contact with people who are
important to them just because of some arbitrary number of days you made up
and because you feel slighted by apple.

This could have real consequences and you can’t expect a big company to move
faster just because you want them to. I have now knowledge of the internals of
the development of MacOS, but maybe this isn’t trivial to fix.

~~~
outlog
"..This issue was supposed to be addressed, according to the vendor, on May
15th 2019 but Apple started dropping my emails."

I believe Apple could easily have asked for an extension, if solving it was
complex.. Apple chose not to.

(from the information available to us..)

~~~
mosselman
"on May 15th 2019 but Apple started dropping my emails"

What does that mean? Is there proof? How long do you wait before you call not
getting a response 'dropping'?

The potential consequences require more than this.

~~~
simondedalus
You would have a point if the exploit were more serious, and looked harder to
fix than it does.

As is, this is a phishing type variant that it’s not at all clear gatekeeper
was even designed to stop. However, the default behavior described (especially
making symlinks to NFS shares without any sort of warning or special graphic
when following them in Finder) seems sufficient for forceful language when
complaining about it to Apple / giving a disclosure deadline then publishing.

