Hackers can bypass a new security feature in MacOS High Sierra to load malicious kernel extensions.
According to security researchers at Synack, the forthcoming update to MacOS features something called Secure Kernel Extension Loading” (SKEL). Patrick Wardle, chief security researcher at Synack, said that while the feature was “wrapped in good intentions”, in its current implementation, SKEL “merely hampers the efforts of the ‘good guys’” (ie 3rd-party MacOS developers such as those that design security products).
“Due to flaws in its implementation, the bad guys (hackers/malware) will likely remain unaffected,” he said in a blog post.
According to Apple’s Technical Note TN2459, Secure Kernel Extension Loading, is “a new feature that requires user approval before loading new third-party kernel extensions.”
Wardle said that while we might initially assume that that the main attack vector SKEL attempts to thwart is the (direct) loading of malicious kernel extensions (ie rootkits), he believed this is not the case.
“First, observe that (AFAIK), we have yet to see any signed kernel-mode MacOS malware! Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate,” he said.
Wardle added that unlike user-mode Developer IDs, Apple is incredibly ‘protective’ of such kernel code-signing certificates – only giving out a handful to legitimate 3rd-party companies that have justifiable reasons to create kernel code.
“As security features are often costly to implement, they are generally introduced to reactively address widespread issues,” he said. He added that instead, the main (security) goal of SKEL is to block the loading of legitimate but (known) vulnerable kexts.
“Until Apple blacklists these kexts via the OSKextExcludeList dictionary (in AppleKextExcludeList.kext/Contents/Info.plist), attackers can simply load such kexts, then exploit them to gain arbitrary code execution within the context of the kernel,” he warned.
He said that the feature can also block the direct loading of maliciously signed kexts, so it seems its main aim is to thwart the loading of known vulnerable drivers for malicious purposes.
In his blog, he outlined how a hacker could bypass SKEL protection in MacOS High Sierra.
“We exploit an implementation vulnerability in SKEL that allows us to load a new unapproved kext, fully programmatically, without any user interaction. A single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything. So, we’re always going to win…sometimes after just 20 minutes of poking,” he said.
“Unfortunately, when such ‘security’ features are introduced – even if done with the noblest of intentions – they often just complicate the lives of 3rd-party developers and users without affecting the bad guys (who don’t have to play ‘by the rules’). High Sierra’s SKEL’s flawed implementation is a perfect example of this,” he said.
“Of course, if Apple’s ultimate goal is simply to continue to wrestle control of the system away from its users, under the guise of ‘security’, I’m not sure any of this even matters.”
Apple will release MacOS High Sierra (10.13) on 25 September.