When Dropbox hired a security firm to perform a Red Team cyber attack simulation on their services, little did they know that they would discover zero day vulnerabilities in Apple products that could affect much more than their company.
In a blog post by Dropbox, they explain how they routinely perform attack simulations to test the effectiveness of their security systems and policies. In a recent test, Dropbox's goal was to test how well their systems could detect and track a successful breach.
"We’ve invested a lot in our hardening, detection, alerting, and response capabilities at Dropbox," stated Chris Evans, Head of Security, in a blog post. "Even if an attacker breaks in and accesses various systems in our environments without triggering an alarm, we have extensive instrumentation to trace activity post-exploitation. So how do we know we’re doing a good job? That’s the kind of testing we were going for with our most recent attack simulation. Our testing goals included measuring the steady-state of our detection and alerting program, as well as measuring our team’s response when a breach has been identified. Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team)."
What they did not expect, though, was for their external security partner Syndis to discover multiple zero-day vulnerabilities in Apple software. When these vulnerabilities were chained together, they could allow commands to be remotely executed on a vulnerable macOS computer simply by visiting a malicious web site.
These vulnerabilities were disclosed to Apple by Syndis and Dropbox on February 19th and fixed within a month with the release of their March 29th, 2018 security updates.
Remote code execution vulnerabilities are classified as Critical as they could allow attackers to essentially run any command they want on a vulnerable computer from a remote site.
When Syndis performed their test they discovered that three previously unknown vulnerabilities could be chained together into a two-stage exploit that would perform remote code execution on a vulnerable macOS computer.
The first vulnerability is in the macOS CoreTypes.bundle that lists safe items that can be opened by Safari. In this case, .smi (Self-Mounting Images) were incorrectly assigned to CoreTypes and thus were allowed to be opened by Safari. This allowed a web page to mount a disk image on a visitor's macOS computer simply by visiting a malicious web page.
The second vulnerability is related to how Disk Images are mounted in macOS. When creating a self-mount image, an attacker can use a bootable volume utility called bless and its --openfolder argument to cause a particular folder to open when the volume is mounted. What is not disclosed in the documentation is that if you specified a .bundle file, which are applications packaged as a directory, as the argument to --openfolder it would cause the application to launch.
With these two vulnerabilities chained together, an attacker could now get an image to automatically mount and an application to launch, but Gatekeeper would still block it from executing.
The final vulnerability and the last piece in the puzzle is a Gatekeeper bypass in LaunchServices. Using a legitimate signed Terminal.app and modifying its Info.plist in order to register a new associated file extension, Syndis was able to bypass Gatekeeper when a script used this new extension.
In a demonstration, shown below, you can see the chained two-stage attack created by Syndis that ultimately caused the Calculator app to open by simply visiting a malicious remote web site.
"Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari," continued the blog post. "The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt."
As security updates for these vulnerabilities were released in March 2018, most users should have them installed already and are now protected. If not, you should make to sure to install all monthly security updates in order to stay protected from vulnerabilities like these.