Attackers could leverage the Apple code signing API to make malicious code remain undetected on Macs, a researcher said.
“Security, incident response, and forensics processes and personnel use code signing to weed out trusted code from untrusted code,” said Josh Pitts, a researcher on the Okta REX (Research and Exploitation) team.
“By verifying signed code, detection and response personnel can speed up investigations by separating trusted code from untrusted code,” Pitts said. “Different types of tools and products use code signing to implement actionable security; this includes whitelisting, antivirus, incident response, and threat hunting products. To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security operations.”
On macOS/iOS, code signing focuses on the Mach-O binary and application bundles to ensure only trusted code is executed in memory.
Third-party Apple-focused security products that featured verifying cryptographically signed code using the official Apple APIs did not verify the cryptographic signature properly, which would make them view unsigned malicious code as signed by Apple, Pitts said in a post.
This vulnerability exists in the difference between how the Mach-O loader loads signed code vs how improperly used Code Signing APIs check signed code, and can be exploited via a malformed universal (fat) binary (a format that contains several Mach-O files with each targeting a specific native CPU architecture).
To prove his point, he created several malformed PoC fat/universal files for developers to use to test their products.
In order to exploit the vulnerability, the first Mach-O in the fat/universal file must be signed by Apple, and the malicious binary included in the file must be adhoc signed and i386 compiled for an x86_64 bit target macOS.