![]() Restart the NFS service with the following command. ~$ sudo echo '/nfs/monthly *(insecure,rw,no_root_squash,anonuid=1000,anongid=1000,async,nohide)' > /etc/exports Use echo to make the /nfs/monthly directory remotely accessible to the target MacBook user. Next, edit the /etc/exports file where the NFS shares are managed. My example will use fake text files representing "invoices," so the NFS directory will be called "monthly" (e.g., monthly invoices). Make a working directory where the payload.app will be stored and shared. May 26 22:16:48 deb1 systemd: Started NFS server and services. May 26 22:16:48 deb1 systemd: Starting NFS server and services. Main PID: 14386 (code=exited, status=0/SUCCESS) Loaded: loaded (/lib/systemd/system/rvice enabled vendor preset: enabled)Īctive: active (exited) since Sun 22:16:48 UTC 33s ago Check the status of service using the systemctl command. The NFS service will probably start automatically, that's normal. Keyutils libevent-2.0-5 libnfsidmap2 libtirpc1 nfs-common nfs-kernel-server rpcbindĠ upgraded, 7 newly installed, 0 to remove and 58 not upgraded.Īfter this operation, 2,037 kB of additional disk space will be used. The following NEW packages will be installed: Keyutils libevent-2.0-5 libnfsidmap2 libtirpc1 rpcbind The following additional packages will be installed: ~$ sudo apt-get update & sudo apt-get install nfs-common nfs-kernel-server Use the below apt-get command to install the necessary NFS software. The attack can be set up on a local network (i.e., 192.168.1.2 in Kali), but this exploit allows an attacker to hack MacBooks from anywhere in the world, so let's take full advantage of that with a VPS demonstration. To get started, SSH into the server where the NFS share will be installed. Don't Miss: Getting Started with Hacking macOS.The exploit.zip is the file shared with the target user and will contain the symlink that allows the attacker to bypass Gatekeeper's security features.įinally, Netcat is configured on the VPS to receive reverse shell connections, and the exploit.zip is shared with the target via email. The payload.app is the file stored on the NFS share, intended for the target MacBook user, and will execute a persistence command that abuses crontab. Then, two files will be created: payload.app and exploit.zip. At a glance, it's difficult to identify the malicious file.Īn NFS share will first be set up in a Debian 9 virtual private server (VPS). An app with a spoofed icon and file extension can be challenging to detect. Keep in mind, the payload(s) can be disguised as any file type, including PDF, MP4, and JPEG. The setup outlined in this article will use a fake text file in a shared NFS directory. The symlink invokes a connection to the attacker's Network File System (NFS) share which contains the malicious payload.app. Network File System: A distributed file system protocol similar to SMB.In macOS, symlinks that point to remote servers are automatically mounted and trusted by Gatekeeper. In this exploit, a symlink is used to point to a directory on the attacker's server. A symbolic link (aka symlink) can point to a file or directory in another directory or remote computer. Symbolic Links: Useful for maintaining copies of the same file in multiple directories.With Filippo's exploit, Gatekeeper doesn't prevent a malicious app from executing. Normally, when an app is downloaded through a web browser, Gatekeeper will either confirm the software is from a verified developer or immediately flag it as suspicious. Gatekeeper: A security feature of macOS designed to ensure that only trusted applications run on a Mac computer.But before we dive into setting up the attack, let's quickly go over three essential technologies. I'm going to show how an attacker would exploit the vulnerability. Filippo recently told us that Apple finally replied late and will fix the security vulnerability in macOS Mojave 10.14.6. He had made several attempts over three months to communicate the issue to Apple but had not received a follow-up response after responsibly disclosing the vulnerability. It affects macOS Mojave 10.14.5 and all prior versions according to Filippo, so High Sierra, Sierra, El Capitan, Yosemite, and so on are likely all vulnerable. His video (below) also shows it in action.Īt the time of this writing, there is no patch for the vulnerability. In his blog post, Filippo demonstrates how a remote attacker can exploit the vulnerability. The vulnerability was discovered by Filippo Cavallarin, a security researcher and CEO of We Are Segment, an Italian cyber-security company. An attacker that's anywhere in the world can exploit MacBooks and other Mac computers by sharing a single ZIP file. Apple's Gatekeeper security software for macOS (Mac OS X) is vulnerable to remote attacks up to version 10.14.5.
0 Comments
Leave a Reply. |