Story image

MacOS High Sierra zero-day shows Keychain passwords in plain text

27 Sep 17

MacOS users who are starting the upgrade to High Sierra – and  those who are using El Capitan – are vulnerable to a proof-of-concept attack that shows their online passwords in plain text, according to Synack security researcher Patrick Wardle.

He discovered that Mac Keychain, a native password management tool, can store online account usernames and passwords in plain text, allowing malicious applications direct access to the account details. However, the Keychain is generally protected by a master password.

Wardle revealed the details in a video that showed a demonstration of the attack.

"I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data, including your plain text passwords. This is not something that is supposed to happen,” he adds in a Patreon blog.

He believes malware must infect systems through malicious email attachments, fake popups or legitimate websites that have been compromised. These can come from both signed and unsigned applications, he says.

"Essentially any malicious code can perform this attack. Yes, this includes signed apps as well," he says.

Malware could theoretically steal credit card numbers or PIN numbers for bank accounts stored in the Keychain tool.

In the video, Wardle uses Netcat and ‘exfil keychain’ to mine the Keychain tool for usernames and passwords. High Sierra provides no warning signs that malicious activity is taking place.

So far, Apple does not appear to have released a patch for the vulnerability.

"This attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet - don't get infected. This means run the latest version of macOS and don't run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it."

Wardle says there are also issues in High Sierra’s Secure Kernel Extension Loading (SKEL) feature. The feature is a user approval mechanism before new third party kernel extensions are loaded.

He believes that it is unlikely that attackers would use the vulnerability to directly load malicious kernel extensions. Instead, it is more likely that attackers will load ‘kexts’ before Apple is able to block them.

“Attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel. Note that such blacklisting is often is delayed as it can badly break legitimate functionality until the user has upgraded to a non-blacklisted version of the kext,” Wardle says in a blog.

“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he continues.

He says that when Apple introduces new security features, it only complicated third-party development and users, while hackers aren’t affected at all.

“Of course if Apple’s ultimate goal is simply to continue to wrestle control of the system away from it users, under the guise of ‘security’, I’m not sure any of this even matters,” Wardle concludes.

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.