Saturday, December 2, 2023

macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack

A Presentation that was demonstrated during the Def Con 2018 regarding the Zero-day vulnerability that discovered in macOS High Sierra OS allows let an attacker access the kernel using invisible mouse clicks.

Basically, kernel level access allows gaining unparalleled access to the attackers in the compromised operating system.

Patrick Wardle, A Chief researcher in Digita Security and Ex, NSA Hacker uncovered a flaw in High Sierra OS that two consecutive synthetic mouse “down” events were incorrectly interpreted the programmatic clicks as a manual approval by High Sierra.

Patrick explained that vulnerability in High Sierra operating system by that two lines of code that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

This macOS flaw allows unprivileged code to interact with any UI component including the ‘protected’ security dialogues.

This attack is performed by invisible mouse clicks also called as synthetic clicks and Apple disables these kinds of mouse clicks for users to interact with UI and blocking the malware to performing programmatic clicks.

But This flaw (CVE-2017-7150) in all recent versions of macOS that incorrectly interprets the synthetic two-down sequence as a mouse “down” and “up.” as legitimate mouse clicks that interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.

Patrick said, “Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

Patrick Found this bug by accident when copying and pasting the code. he explained that, I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

In this case, If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a targeted machine.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed its game over,” Wardle said.

A piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware used this exact technique.

Of course, OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.

Also Read

Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years

Apple Released Security Updates for iOS, macOS, Safari, iTunes – iOS 11.4.1 Released

MACOS Malware Targeting Cryptocurrency Users On Slack and Discord – 100% Undetected Virustotal


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles