The Mouse is Mightier than the Sword

Conference:  Defcon 26



The presentation discusses the power of synthetic events in bypassing security mechanisms on Mac OS and how they can be utilized by attackers. It also highlights the vulnerabilities in Apple's security mechanisms and the need for better protection.
  • Synthetic events are a powerful capability that can be used to bypass security mechanisms and perform actions invisibly.
  • AppleScript and Core Graphics Framework are commonly used to interact with UI prompts programmatically and generate synthetic events.
  • Apple's security mechanisms have vulnerabilities that can be exploited using synthetic events, such as the unsecured privacy alerts and the flaw in the kernel loading extension security mechanism.
  • The presentation also announces a new Mac security conference called Objective by the Sea.
  • In Mohave, Apple has taken a more drastic approach to block and disallow a ton of actions, which is good from a security point of view but may block legitimate applications.
The presenter shares an example of how synthetic events were used by malware called Devil Robber in 2011 to dump the unencrypted contents of the keychain by synthetically clicking the allow button in the keychain access prompt using AppleScript.


In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell. Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed. In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!



Post a comment

Related work

Conference:  Defcon 28

Conference:  BlackHat USA 2020

Conference:  Defcon 31
Authors: Patrick Wardle Objective-See Foundation