An issue was discovered in osquery. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious unsigned code will execute. This issue affects osquery prior to v3.2.7
Osquery, a popular endpoint monitoring tool, is vulnerable to a code-signing bypass. A specially crafted Universal/fat binary can trick third-party tools into believing malicious, unsigned code is signed by Apple, leading to arbitrary code execution on affected systems. This vulnerability allows attackers to compromise systems by injecting malicious code that evades security checks.
Step 1: Payload Preparation: The attacker crafts a malicious Universal/fat binary. This binary contains a legitimate, signed code segment (e.g., a benign osquery component) and an unsigned, malicious code segment (the payload).
Step 2: Binary Delivery: The attacker delivers the crafted binary to the target system. This could be through various means, such as social engineering, exploiting another vulnerability, or supply chain compromise.
Step 3: Code-Signing Check: The osquery process, or a third-party tool used by osquery, attempts to verify the code signature of the binary. The tool successfully validates the initial, signed code segment.
Step 4: Bypass: Due to the incomplete validation, the tool does not fully inspect the entire binary. It fails to detect the presence of the unsigned, malicious code segment.
Step 5: Execution: The operating system loads and executes the binary. Because the initial code segment appeared signed, the system trusts the binary and executes both the signed and unsigned code segments. The malicious code segment, now running with the privileges of the osquery process, executes the attacker's payload.
The vulnerability stems from incomplete inspection of Universal/fat binaries within osquery's code-signing verification process. Specifically, the third-party tool used by osquery to verify code signatures fails to fully validate the integrity of all code segments within a Universal/fat binary. This allows an attacker to craft a binary where the initial, inspected code segment appears signed, while a subsequent, malicious code segment remains unsigned. The tool's failure to fully validate the binary allows the unsigned code to be executed. The root cause is a lack of thorough validation of all code segments within the Universal/fat binary format, leading to a code-signing bypass.