Story image

MacOS High Sierra zero-day shows Keychain passwords in plain text

27 Sep 17

MacOS users who are starting the upgrade to High Sierra – and  those who are using El Capitan – are vulnerable to a proof-of-concept attack that shows their online passwords in plain text, according to Synack security researcher Patrick Wardle.

He discovered that Mac Keychain, a native password management tool, can store online account usernames and passwords in plain text, allowing malicious applications direct access to the account details. However, the Keychain is generally protected by a master password.

Wardle revealed the details in a video that showed a demonstration of the attack.

"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data, including your plain text passwords. This is not something that is supposed to happen,” he adds in a Patreon blog.

He believes malware must infect systems through malicious email attachments, fake popups or legitimate websites that have been compromised. These can come from both signed and unsigned applications, he says.

"Essentially any malicious code can perform this attack. Yes, this includes signed apps as well," he says.

Malware could theoretically steal credit card numbers or PIN numbers for bank accounts stored in the Keychain tool.

In the video, Wardle uses Netcat and ‘exfil keychain’ to mine the Keychain tool for usernames and passwords. High Sierra provides no warning signs that malicious activity is taking place.

So far, Apple does not appear to have released a patch for the vulnerability.

"This attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it."

Wardle says there are also issues in High Sierra’s Secure Kernel Extension Loading (SKEL) feature. The feature is a user approval mechanism before new third party kernel extensions are loaded.

He believes that it is unlikely that attackers would use the vulnerability to directly load malicious kernel extensions. Instead, it is more likely that attackers will load ‘kexts’ before Apple is able to block them.

“Attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext,” Wardle says in a blog.

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he continues.

He says that when Apple introduces new security features, it only complicated third-party development and users, while hackers aren’t affected at all.

“Of course if Apple’s ultimate goal is simply to continue to wrestle control of the system away from it users, under the guise of ‘security’, I’m not sure any of this even matters,” Wardle concludes.

NZ Internet Task Force joins iSANZ Hall of Fame
NZITF chair Barry Brailey and former chairs Mike Seddon and Paul McKitrick received the award in Auckland last week.
Quantum computing: The double-edged sword for cybersecurity
Quantum computing is quickly moving from science fiction to reality.
Three ways to achieve data security whilst enabling BYOD
"A mobility strategy is now more important than ever before, that said, selecting the right one is often no small task."
How IoT and hybrid cloud will change in 2019
"Traditional VPN software solutions are obsolete for the new IT reality of hybrid and multi-cloud."
WatchGuard’s eight (terrifying) 2019 security predictions
The next evolution of ransomware, escalating nation-state attacks, biometric hacking, Wi-Fi protocol security, and Die Hard fiction becomes reality.
GCSB's CORTEX project scoops iSANZ Award
“I believe this award is particularly significant as it is acknowledgement from our peers in the information security industry and from across the private sector."
NZ firms lack cybersecurity confidence, HP survey says
Out of 434 of New Zealand’s small and large businesses, only half (50%) feel confident that they would be able to cope if they experienced a significant cybersecurity breach.
SonicWall secures hybrid clouds by simplifying firewall deployment
Once new products are brought online in remote locations, administrators can manage local and distributed networks.