Twitter | Search | |
This is the legacy version of twitter.com. We will be shutting it down on 15 December 2020. Please switch to a supported browser or device. You can see a list of supported browsers in our Help Center.
Josh Pitts
I found this interesting code signing bug in macOS. I took the 2011/2012 flashback malware and 'signed' it with a cert from Apple. VirusTotal and WhatsYourSign ('s tool) both agree that it's signed by Apple. I have some bug reporting to do... πŸ€“
Reply Retweet Like More
Dominic Chell 21 Feb 18
What does codesign say?
Reply Retweet Like
patrick wardle 21 Feb 18
since is open-source you can submit a bug report? I'll DM you too :) Mahalo in advance πŸ™
Reply Retweet Like
patrick wardle 21 Feb 18
Is it a 'macOS code signing bug' if the binaries don't run? πŸ€”
Reply Retweet Like
patrick wardle 21 Feb 18
nice 😁 I guess more specifically wondering a) if they are non-local binaries - Gatekeeper (which checks code signing) will block, or b) if code-signing is enabled (vm.cs_enforcement=1) local binaries will be killed -9?
Reply Retweet Like
Thomas Reed 21 Feb 18
What specifically did you do to β€œsign it with a cert from Apple?” Do you mean a cert issued by Apple, or something else? Also, apps will run with an invalid signature if they don’t have the quarantine flag set. Did you test with that flag set? Very curious!
Reply Retweet Like
bucky 21 Feb 18
Is it possible to download your version of Flashback somewhere? I assume that if you re-sign a malware with a valid CS cert, the malware will again pass as valid, right? (XProtect & AV scans might throw out an error, but the certificate itself would still be accepted, I assume.)
Reply Retweet Like
Thomas Reed 22 Feb 18
There are some problems with that test, though. 1) "codesign -dv" does not verify the signature, it just outputs the info. You'd need either "codesign --verify" or "spctl --assess" 2) Running something from the command line does not trigger Gatekeeper or a code signature check
Reply Retweet Like
Thomas Reed 22 Feb 18
I'd certainly argue that code signature checks in macOS are far too sparse, and it does sounds like there's a bug in SecStaticCodeCheckValidity() that will affect some third-party apps that do code signature checks. I'm just saying those particular parts of your test don't work.
Reply Retweet Like
FIPS mode squad 22 Feb 18
Ugh.
Reply Retweet Like
Karl Hiramoto 27 Feb 18
now shows as "invalid" on VT.
Reply Retweet Like