Bypassing security prompts in High Sierra, the latest version of macOS, is still possible with synthetic clicks thanks to a bug triggered by just two lines of code.
Under macOS, automation and usability tools can produce programmatic mouse events to reduce user interaction when not necessary. Developers can automate low-level, user input events for their applications using Core Graphics framework or AppleScript scripting language for inter-application communication.
To counter the risk for abuse, recent versions of macOS require the user to manually permit an app to create synthetic events. The OS also filters virtual mouse clicks or asks the user for authentication before allowing the programmatic action.
Last year, security researcher and macOS hacker Patrick Wardle disclosed that Apple's protections against simulated human input did not apply to the operating system's mouse keys – a feature that allows controlling the mouse pointer from the keyboard.
The hacker found that macOS fully trusts synthetic events via mouse keys, and he was able to approve unauthorized actions this way, like dumping passwords from Keychain, loading third-party kernel extensions, bypassing security tools. All this with the privileges of a normal user.
Apple released a patch for the mouse keys hack, but it was not sufficiently thorough, allowing the same level of unauthorized access as before.
Wardle found by chance that High Sierra confuses a sequence of two synthetic mouse down events for a human-generated action. For some reason, the operating system translates the programmatic clicks into a mouse "up" and mouse "down" command, which is what happens when clicking the mouse.
What makes the attack serious is that normally security mechanisms depend on user interaction with a UI component. Using this code, malware can emulate a mouse click and thus bypass these restrictions.
The researcher notes that current mitigations (filtering, system integrity protection, accessibility access, password prompts) limit attacks based on programmable click events but do not eliminate them completely. If malware can install kernel extensions or access the unencrypted content of Keychain, then it is game over for the user.
Since a self-animated cursor is an obvious sign of an unauthorized act, there is a way to literally keep the user in the dark: dimming the screen at right time. This is practical when the user is inactive or when the device enters sleep mode.
It should be highlighted that the technique discovered by Wardle is useful for an attacker after they have gained a foothold on the system. Even so, it is an easy way to bypass security tools and thus hide the malicious activity from the user.
Thankfully, things will change in Mojave as the next version of macOS, scheduled for release this year, will block all synthetic events.
Patrick Wardle presented his findings at the Def Con hacking conference in Las Vegas this year. The slides for the presentation are available here.