Mac "MacKeeper" exposes Arbitrary Code Execution Vulnerability

Mac  "MacKeeper" exposes Arbitrary Code Execution Vulnerability

I believe Mac users must have seen Mackeeper ads-a Mac OS system optimization software that integrates anti-virus, encryption, data backup, system cleaning, and software uninstallation, it can be considered as  of the Mac.

On July 6, May 7, Mackeeper was found to have a serious security vulnerability. The remote code execution vulnerability exists in its URL-handling code. When a user accesses a maliciously crafted webpage, the high-risk vulnerability is triggered.

Vulnerability description

Security researcher Braden Thomas discovered this vulnerability. When a user accesses a malicious website, he can execute arbitrary code as Root with the highest system permission without having to perform any interaction, he also published the POC (vulnerability verification program) to demonstrate that users can execute arbitrary code when accessing malicious websites using Safari. The Code executed in the POC is to uninstall MacKeeper. The cause of the vulnerability is that MacKeeper does not perform a security check on the input data when executing commands using a custom URL structure.

If MacKeeper prompts the user to enter the password during normal operations, the user will not be prompted to enter the password when executing any code with the root permission. If the user has not passed the authentication before, MacKeeper will prompt the user to enter the account password. However, the exploitation of vulnerabilities is exactly the characters entered by these users, so the user may feel the vulnerability exploitation process.

Apple allows OSX and iOS apps to customize the URL structure. These URLs can register system events to remove other apps from the system and process the current URL. Normally, this function uses custom protocols to perform specified operations (for example, when you click a phone number link on iOS, the system will ask you if you want to make a call, when you click an email address, the system starts the email APP. The APP built in the Apple system clearly tells developers that they need to perform a security check on the entered custom URL, to prevent exceptions during URL Processing. In addition, Apple also pointed out the importance of security checks on input data in official documents.

Impact Scope

Since this 0day also exists in the latest MacKeeper (MacKeeper 3.4), many users are affected. According to a previous report, tens of millions of users are affected. MacKeeper is a controversial application in the Mac community. users complain that it frequently uses pop-up windows to push advertisements.
Now the POC of this vulnerability has been published, so MacKeeper users are prone to attacks.

POC:
Import sys, base64
From Foundation import *
RUN_CMD = "rm-rf/Applications/MacKeeper. app; pkill-9-a MacKeeper"
D = NSMutableData. data ()
A = NSArchiver. alloc (). initForWritingWithMutableData _ (d)
A. encodeValueOfObjCType_at _ ("@", NSString. stringWithString _ ("NSTask "))
A. encodeValueOfObjCType_at _ ("@", NSDictionary. dictionaryWithObjectsAndKeys _ (NSString. stringWithString _ ("/bin/sh"), "LAUNCH_PATH", NSArray. arrayWithObjects _ (NSString. stringWithString _ ("-c"), NSString. stringWithString _ (RUN_CMD), None), "ARGUMENTS", NSString. stringWithString _ ("Your computer has malware that needs to be removed. ")," PROMPT ", None ))
Print "com-zeobit-command: // I/ZBAppController/javasmactionwithhelpertask: arguments:/" + base64.b64encode (d)
Https://twitter.com/drspringfield/status/596316000385167361

Security suggestions

MacKeeper users should Update to the latest version immediately. By default, MacKeeper automatically checks for updates. When the MacKeeper prompts an upgrade, click OK to install the update.

Of course, you can avoid attacks in some ways. On OS X, click a custom link in the Safari browser to call the application specified in the system to process the corresponding URL. In other browsers, such as the chrome browser, you will be prompted whether you agree to open the link to this self-owned agreement.
For technical tips, try to use browsers other than Safari. In this way, the system will prompt you before executing any code. Technically, you can remove URL-related code from the Info. plist file of MacKeeper.