Apple still has problems with stopping synthetic clicks

Mac security researcher discloses zero-day to bypass ban on synthetic events.

apple-hq-logo.jpg

Synthetic events remain a big security hole for macOS in spite of Apple's recent efforts to prevent malicious applications from abusing this feature.

Speaking at the second edition of the Objective by the Sea security conference that was held in Monaco over the weekend, Patrick Wardle, a well-known Apple security expert, has revealed a zero-day impacting Apple's macOS operating system, including the new version launched today.

The zero-day is a bypass of the security protections that Apple has put in place to prevent unauthorized access to synthetic events.

The danger behind synthetic events

Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language.

Over the past few years, malware strains such as DevilRobber, FruitFly, and Genieo have abused synthetic events to automate operations on infected hosts.

Malware strains that abuse synthetic events are incredibly dangerous and intrusive, as they can bypass Apple and third-party security products by automatically dismissing alerts.

Furthermore, synthetic events can also load kernel extensions, dump victims' keychain passwords, get a system's geo-location data, steal contacts, adjust OS preferences, access the webcam, run terminal commands, and more.

The sky's the limit for any malware incorporating synthetic events -- mainly due to the feature's design and deep level of access.

New zero-day grants bypass ban on synthetic events

For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events.

He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default.

But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again.

"It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click."

The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist.

This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.

"This is an area where Apple often struggles - comprehensively patching bugs or bug classes," Wardle told ZDNet. "I thought they had got it right in Mojave, as they appeared initially to just block all synthetic clicks. But as always the devil is in the details," he said.

TCC app validation bug

According to Wardle, this hidden TCC database contains a bug that can be exploited to grant malicious threat actors access to synthetic events.

macOS is supposed to verify that an app requesting access to synthetic events is in fact on the TCC list. It does this by verifying if the app has been signed and if the file has been tampered with. However, Wardle says that only the first check is performed.

This allows a malicious threat actor who has minimal access to a system to download any of the apps found in the AllowApplications.plist file, append code that interacts with synthetic events, and run it to bypass Apple's existing ban on synthetic events.

Synthetic events bypass

Image: Patrick Wardle

"For example, VLC is on the list, so in theory Apple is attempting to verify that when it sees an app named VLC, it's really the VLC.app, and that it's a pristine (un-modified) version by checking that app's code-signing information (i.e. it's signed by the VLC developer and that the signature is still valid)," Wardle said.

"The issue is that the verification is incomplete, so they only end up checking that the app is signed by who they think it should be (i.e. VLC, signed by VLC developer), but not the executable code or application resources.

"So yes, you can append malicious code, or add malicious resources etc.," Wardle added.

"As an example, VLC loads plugins from its app bundle. So we can just drop in a new (malicious unsigned) plugin. It gets loaded, and is allowed to generate synthetic clicks," Wardle said.

The security researcher told ZDNet that he notified Apple of this issue more than a week ago. "I believe a patch is in the works, though I don't know the timeline its release," Wardle said.

More vulnerability reports: