macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack

A Presentation that was demonstrated during the Def Con 2018 regarding the Zero-day vulnerability that discovered in macOS High Sierra OS allows let an attacker access the kernel using invisible mouse clicks.

Basically, kernel level access allows gaining unparalleled access to the attackers in the compromised operating system.

Patrick Wardle, A Chief researcher in Digita Security and Ex, NSA Hacker uncovered a flaw in High Sierra OS that two consecutive synthetic mouse “down” events were incorrectly interpreted the programmatic clicks as a manual approval by High Sierra.

Patrick explained that vulnerability in High Sierra operating system by that two lines of code that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

This macOS flaw allows unprivileged code to interact with any UI component including the ‘protected’ security dialogues.

This attack is performed by invisible mouse clicks also called as synthetic clicks and Apple disables these kinds of mouse clicks for users to interact with UI and blocking the malware to performing programmatic clicks.

But This flaw (CVE-2017-7150) in all recent versions of macOS that incorrectly interprets the synthetic two-down sequence as a mouse “down” and “up.” as legitimate mouse clicks that interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.

Patrick said, “Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

Patrick Found this bug by accident when copying and pasting the code. he explained that, I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

In this case, If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a targeted machine.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed its game over,” Wardle said.

A piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware used this exact technique.

Of course, OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.

Also Read

Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years

Apple Released Security Updates for iOS, macOS, Safari, iTunes – iOS 11.4.1 Released

MACOS Malware Targeting Cryptocurrency Users On Slack and Discord – 100% Undetected Virustotal