A Presentation that was demonstrated during the Def Con 2018 regarding the Zero-day vulnerability that discovered in macOS High Sierra OS allows let an attacker access the kernel using invisible mouse clicks.

Basically, kernel level access allows gaining unparalleled access to the attackers in the compromised operating system.

Patrick Wardle, A Chief researcher in Digita Security and Ex, NSA Hacker uncovered a flaw in High Sierra OS that two consecutive synthetic mouse “down” events were incorrectly interpreted the programmatic clicks as a manual approval by High Sierra.

Patrick explained that vulnerability in High Sierra operating system by that two lines of code that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

This macOS flaw allows unprivileged code to interact with any UI component including the ‘protected’ security dialogues.

This attack is performed by invisible mouse clicks also called as synthetic clicks and Apple disables these kinds of mouse clicks for users to interact with UI and blocking the malware to performing programmatic clicks.

But This flaw (CVE-2017-7150) in all recent versions of macOS that incorrectly interprets the synthetic two-down sequence as a mouse “down” and “up.” as legitimate mouse clicks that interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.

_rWZpdq1_normal macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection

patrick wardle

@patrickwardle

Good morning @Defcon attendees 2600 macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection

My talk, “1f42d macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection  > 2694 macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection  ” is today:
“The Mouse is Mightier than the Sword”
Sunday 10:00, 101 Track, Flamingo

Includes new bypasses of privacy controls & 0day breaking ‘User Assisted Kext Loading’ 1f648 macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection  1f34e macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection  1f912 macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection

See you there 1f917 macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection  https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Wardle2 

Patrick said, “Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

Patrick Found this bug by accident when copying and pasting the code. he explained that, I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

In this case, If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a targeted machine.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed its game over,” Wardle said.

A piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware used this exact technique.

Of course, OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.

via macOS Invisible Mouse Clicks Attack Allows to Bypass Kernel Protection

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This