ID & Access Management
Attackers Can Steal Clear-Text Credentials From the Keychain, Researcher Warns
Password managers are one of the best ways to manage large batches of credentials. But they’re also a single point of failure: get inside a password manager, and you’ve captured the keys to the kingdom.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
To wit, a researcher has discovered a zero-day vulnerability in Apple’s built-in password manager that an attacker can exploit to steal all stored credentials in clear-text format. The flaw is present in the latest version of macOS, called High Sierra (10.13) and released earlier this week, and also present in Sierra (10.12) and potentially El Capitan (10.11).
That alert comes from Patrick Wardle, director of research at Synack, a company that crowdsources analysts for penetration tests. As a hobby, Wardle digs deep into Apple’s desktop operating system, and he’s developed a suite of security tools for macOS as well as unearthed the occasional vulnerability.
His attack focuses on the Keychain, an encrypted container that stores credentials for Wi-Fi networks, backup disks, encrypted disk images and even credit card numbers and PINs for bank accounts. To open the Keychain, users must first enter a machine’s system password.
But Wardle developed proof-of-concept code that completely bypasses the password request, opening up the treasure chest of credentials that the Keychain holds.
Signed or Unsigned
Wardle tweeted his findings on Sept. 25 and posted a video of the attack, using an application he developed called “keychainStealer.”
The keychainStealer application, as demonstrated, is “unsigned,” which means it doesn’t carry a digital signature distributed by Apple to approved developers. If a user tried to download it, Apple’s Gatekeeper would by default block it. Gatekeeper blocks the installation of applications not approved by Apple, but it can be disabled or overridden.
Wardle, however, later clarified that it didn’t matter whether an application is signed or not; the attack would still work. But his demo with an unsigned app appeared to initially cause a misunderstanding with Apple. In a statement to Information Security Media Group, Apple claimed that Gatekeeper would block the application outright.
“We encourage users to download software only from trusted sources like the Mac App Store and to pay careful attention to security dialogs that macOS presents,” Apple tells ISMG.
Supply Chains Under Fire
But many users don’t pay attention to Gatekeeper’s warnings, and download and run apps that lack an approved signature. Occasionally, malware authors have managed to slip malware into the installers of legitimate Mac apps.
For example, the BitTorrent client called Transmission was hacked twice in 2016, with attackers successfully slipping ransomware into the application and distributing it from Transmission’s website. The same scenario repeated in May with DVD-ripping software called Handbrake, according to security firm Malwarebytes.
These so-called supply-chain attacks are becoming increasingly common. One of the largest such attacks ever seen – if not the biggest of all time – occurred earlier this month. Attackers managed to slip malware into an installer for Avast’s popular CCleaner utility for Windows. The tampered version of CCleaner was downloaded 2.27 million times, and follow-on malware was pushed to major tech companies and telecoms (see Trojanized CCleaner Investigation: Lucky Break).
There are some preconditions, however, for a successful attack against the Keychain using the flaw discovered by Wardle. The first, obvious barrier is that an attacker would have to convince someone to download an application with keychainStealer hidden inside.
“As mentioned before, this attack is local, meaning malicious adversaries have to first compromise your Mac in some way,” Wardle writes in a Q&A. “So best bet – don’t get infected. This means run the latest version of macOS and don’t run random apps from emails or the web.”
The Keychain also must be already unlocked on the targeted machine for the attack to work. By default, macOS unlocks the Keychain when someone logs onto a machine.
However, the Keychain can be configured to stay locked after someone logs in, Wardle writes. It’s also possible to keep the Keychain locked when it’s not in use.
Apple Promises Patch
Wardle’s initial tweet almost immediately generated criticism since he highlighted a vulnerability for which there is yet no patch. Wardle said he contacted Apple in early September and provided proof-of-concept attack code. But he says the company didn’t have enough time to push a patch before the release of High Sierra.
on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords) vid: https://t.co/36M2TcLUAn #smh pic.twitter.com/pqtpjZsSnq
— patrick wardle (@patrickwardle) September 25, 2017
Wardle, who has a friendly relationship with Apple’s security team, did not release any technical details about how the attack works.
“My goal of posting the video was to raise awareness of the fact that High Sierra was shipped with an exploitable vulnerability – so we can all take necessary precautions,” he writes.