In today’s digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click …allowed. Authorize keychain access? click …allowed. Load 3rd-party kernel extension? click …allowed. Authorize outgoing network connection? click …allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.
In this talk we’ll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including ‘protected’ security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple’s touted ‘User-Approved Kext’ security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple’s patch was incomplete (surprise surprise) we’ll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
And while it may seem that such synthetic interactions with the UI will be visible to the user, we’ll discuss an elegant way to ensure they happen completely invisibly!