Gatekeeper and File Quarantine Bypass
Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. Indeed, macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn’t reviewed the app — a process Apple calls notarization — or if it doesn’t recognize its developer, the app won’t be allowed to run without user intervention.
But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run.
Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS’ built-in defenses when opened.
This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk[…]
[…]
…and especially worrisome, turns out malware authors are already exploiting it in the wild as an 0day.
[…]
The core of the blog post digs deep into the bowels of macOS to uncover the root cause of the bug. In this section, we’ll detail the flaw which ultimately results in the misclassification of quarantined items, such as malicious applications. Such misclassified apps, even if unsigned (and unnotarized), will be allowed to run uninhibited. No alerts, no prompts, and not blocked.
[…]
Finally, we’ll wrap things up with a brief discussion on protections, most notably highlighting the fact that BlockBlock already provided sufficient protection against this 0day.
The details behind how the vulnerability can be abused by attackers are:
- An attacker manually crafts an application bundle by using a script as the main executable. (example: myapplication.app/Contents/MacOS/myapplication where “myapplication” is a bash script). For this to work, the script name must match the application name and they must not create an Info.plist file.
- The application can then be placed in a dmg for distribution.
- When the dmg is mounted and the application is double-clicked, the combination of a script-based application with no Info.plist file executes without any quarantine, signature or notarization verification. This will work on any system running macOS versions 10.15 to 11.2.
It’s fixed in macOS 11.3.
Lorenzo Franceschi-Bicchierai:
An Apple spokesperson said that the company deployed rules to detect malware abusing this bug to its anti-virus app XProtect. These rules are automatically installed in the background, meaning all MacOS devices, including those running older versions of MacOS will get this protection as well.
Previously:
- macOS 11.3
- Gatekeeper Symlink/Automount Bypass
- Quarantine: Apps and Documents
- Updated Gatekeeper Exploit
- Gatekeeper Exploit