Most active commenters
  • Wowfunhappy(4)
  • tantalor(3)

←back to thread

How the Zoom macOS installer does its job without you clicking ‘install’

(twitter.com)
796 points _Microft | 14 comments | 31 Mar 20 11:41 UTC | HN request time: 0.001s | source | bottom
Show context
lultimouomo ◴[31 Mar 20 12:08 UTC] No.22736730[source]
I think this also shows how macOS has been training users to enter their password in random dialogs that have absolutely nothing that identifies them as being legit OS dialogs. The dialog that Zoom uses could very well be sending the credentials to a remote server, and the user would be none the wiser.
replies(2): >>22736941 #>>22742904 #
Wowfunhappy ◴[31 Mar 20 12:44 UTC] No.22736941[source]
Note that in this case, it's still a legit OS dialog. Preflight scripts are very much built into the macOS pkg format, they're just not intended to be used like this.
replies(4): >>22737018 #>>22737061 #>>22738118 #>>22741908 #
1. tantalor ◴[31 Mar 20 12:56 UTC] No.22737018[source]
It doesn't look legit, it looks like the installer script is faking a system dialog in this screenshot:

https://twitter.com/c1truz_/status/1244737675191619584/photo...

This message is a lie; it not coming from system but from the installer script.

Just because the OS is used to show the dialog doesn't mean it should be trusted. As other commenter noted this could be used to steal passwords; that is effectively what it does.

replies(2): >>22737159 #>>22737550 #
2. rainforest ◴[31 Mar 20 13:15 UTC] No.22737159[source]
To their credit, they seem to be using AuthorizationExecuteWithPrivileges which doesn't get the user's password, but executes a command as root, which is marginally better than stealing the password like Dropbox did.
replies(1): >>22737179 #
3. tantalor ◴[31 Mar 20 13:16 UTC] No.22737179[source]
How hard do you think it is to steal a password once you have root?
replies(2): >>22737310 #>>22740559 #
4. swiley ◴[31 Mar 20 13:30 UTC] No.22737310{3}[source]
It would take an extra step, you have access to the hash and maybe shared memory/SOs but you’d need a second trick to actually steal it.
5. Wowfunhappy ◴[31 Mar 20 13:57 UTC] No.22737550[source]
The script asks for root which subsequently pops up an OS password prompt. Zoom never sees your password.

How is this different from the way e.g. Virtualbox gets root?

replies(2): >>22738134 #>>22738303 #
6. lonelappde ◴[31 Mar 20 14:59 UTC] No.22738134[source]
Because it lies about its identity, calling itself "System" not Zoom.

This is also a MacOS vuln that lets apps lie about their identity in sudo prompts, much like a browser showing an https site with no certificate checking.

replies(1): >>22738200 #
7. Wowfunhappy ◴[31 Mar 20 15:05 UTC] No.22738200{3}[source]
macOS allows apps to write arbitrary lines of text above password prompts, which is what Zoom is doing. I don't see how that's different from a shell script echo'ing something before a sudo prompt.

How would you design this system?

replies(1): >>22740596 #
8. auiya ◴[31 Mar 20 15:15 UTC] No.22738303[source]
It's not making the proper privilege escalation call, it's faking the box entirely. There's even a typo in the dialog box.
replies(2): >>22738340 #>>22742584 #
9. Wowfunhappy ◴[31 Mar 20 15:19 UTC] No.22738340{3}[source]
...are you sure? I'm pretty sure that code just pops up the system box to get privileges, with a custom message at the top.

I'm running Mavericks—the last version of macOS before they made the UI flat—and the prompt didn't look out of place. If Zoom is indeed faking the box, they actually went through the trouble to make a separate version for Mavericks with Mavericks-style visuals.

10. jedieaston ◴[31 Mar 20 18:14 UTC] No.22740559{3}[source]
It should be impossible with SIP enabled, as in OS X 10.14 Apple protected the files in /var/db/dslocal where the user shadow files are stored so that root could not read them (unless triggered by an Apple signed executable, like Software Update). If you are running with SIP disabled you've taken the risk of it happening, and if you are on a corporate laptop (or 99% of personal machines) it is engaged.

https://apple.stackexchange.com/questions/344117/mac-10-13-1...

replies(1): >>22741172 #
11. jedieaston ◴[31 Mar 20 18:16 UTC] No.22740596{4}[source]
Don't allow the application to do any of it, and when the app asks for access, have the system instead say "{processName}.app is requesting {permissionFlavorText}. Enter a name and password to continue."
12. tantalor ◴[31 Mar 20 19:02 UTC] No.22741172{4}[source]
Think a little harder. With root, you can install a keylogger.
replies(1): >>22742525 #
13. saagarjha ◴[31 Mar 20 21:00 UTC] No.22742525{5}[source]
You'd still need to bypass TCC.
14. saagarjha ◴[31 Mar 20 21:06 UTC] No.22742584{3}[source]
No, they're using the (deprecated) Authorization Services API from the (renamed) BLAuthentication.