Story image

MacOS High Sierra zero-day shows Keychain passwords in plain text

27 Sep 2017

MacOS users who are starting the upgrade to High Sierra – and  those who are using El Capitan – are vulnerable to a proof-of-concept attack that shows their online passwords in plain text, according to Synack security researcher Patrick Wardle.

He discovered that Mac Keychain, a native password management tool, can store online account usernames and passwords in plain text, allowing malicious applications direct access to the account details. However, the Keychain is generally protected by a master password.

Wardle revealed the details in a video that showed a demonstration of the attack.

"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data, including your plain text passwords. This is not something that is supposed to happen,” he adds in a Patreon blog.

He believes malware must infect systems through malicious email attachments, fake popups or legitimate websites that have been compromised. These can come from both signed and unsigned applications, he says.

"Essentially any malicious code can perform this attack. Yes, this includes signed apps as well," he says.

Malware could theoretically steal credit card numbers or PIN numbers for bank accounts stored in the Keychain tool.

In the video, Wardle uses Netcat and ‘exfil keychain’ to mine the Keychain tool for usernames and passwords. High Sierra provides no warning signs that malicious activity is taking place.

So far, Apple does not appear to have released a patch for the vulnerability.

"This attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it."

Wardle says there are also issues in High Sierra’s Secure Kernel Extension Loading (SKEL) feature. The feature is a user approval mechanism before new third party kernel extensions are loaded.

He believes that it is unlikely that attackers would use the vulnerability to directly load malicious kernel extensions. Instead, it is more likely that attackers will load ‘kexts’ before Apple is able to block them.

“Attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext,” Wardle says in a blog.

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he continues.

He says that when Apple introduces new security features, it only complicated third-party development and users, while hackers aren’t affected at all.

“Of course if Apple’s ultimate goal is simply to continue to wrestle control of the system away from it users, under the guise of ‘security’, I’m not sure any of this even matters,” Wardle concludes.

Microsoft urges organisations to tackle data blindspots
Despite significant focus placed on CX transformation, over a third of Australian organisations claimed that more than one in five of their projects failed.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Renesas develops 28nm MCU with virtualisation-assisted functions
The MCU features four 600 megahertz CPUs with a lock-step mechanism and a large 16 MB flash memory capacity.
DOCOMO ranked world's top mobile operator in 5G SEP applications
NTT DOCOMO has been ranked the world's leading mobile operator in terms of applications for candidate standard-essential patents.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
Gartner’s top 10 data and analytics trends for 2019
Data is the fuel for the modern world, and analytics the engine. Gartner has compiled the top 10 trends to watch this year.
How CIOs can work with colleagues to drive new competitive advantages
"If recent history has taught us anything, it’s that the role of the CIO is always changing, and that it won’t stop changing anytime soon."