In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed.Authorize outgoing network connection? click ...allowed. Luckily security conscious users will (hopefully) heed such warning dialogues - stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector,and thus strive to design their UI in a manner that is resistant againstsynthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'Secure Kext Loading' security feature,dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!