{"id":46763,"date":"2025-02-17T08:55:41","date_gmt":"2025-02-17T13:55:41","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46763"},"modified":"2025-02-17T08:55:41","modified_gmt":"2025-02-17T13:55:41","slug":"gatekeeper-vs-terminal-and-fileloc-files","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/02\/17\/gatekeeper-vs-terminal-and-fileloc-files\/","title":{"rendered":"Gatekeeper vs. .terminal and .fileloc Files"},"content":{"rendered":"<p><a href=\"https:\/\/medium.com\/@metnew\/exploiting-popular-macos-apps-with-a-single-terminal-file-f6c2efdfedaa\">Vladimir Metnew<\/a> (2020, <a href=\"https:\/\/twitter.com\/vladimir_metnew\/status\/1287762982341087233\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/medium.com\/@metnew\/exploiting-popular-macos-apps-with-a-single-terminal-file-f6c2efdfedaa\"><p>Popular macOS apps with a file-sharing functionality didn&rsquo;t delegate file quarantine to OS leading to File Quarantine bypass (Windows MOTW analogue) for downloaded files.<\/p><p>[&#8230;]<\/p><p>Many popular products like Keybase, Slack, Skype, Signal, Telegram decided to fix the issue, but the vulnerability remains unfixed in file-syncing apps: Dropbox, OneDrive, Google Drive, etc.<\/p><p>[&#8230;]<\/p><p>Apple knows that it&rsquo;s possible to execute files on the device with <code>.fileloc<\/code>. Apple also knows that all default apps have quarantine enabled.<\/p><p>Launching a quarantined file with <code>.fileloc<\/code> doesn&rsquo;t have security risks, because the user will be asked to confirm file launching.<\/p><p>That means, <code>.fileloc<\/code><strong> is not a vulnerability by itself<\/strong> unless there are <strong>files without a quarantine attribute<\/strong>.<\/p><p>[&#8230;]<\/p><p>OneDrive removes quarantine meta-attribute because Apple granted it <code>com.apple.security.files.user-selected.executable<\/code> entitlement. [&#8230;] Apple&rsquo;s head of macOS security made an exception for OneDrive &#x1F62F;.<\/p><\/blockquote>\n\n<p>And file sync apps outside the Mac App Store don&rsquo;t apply it, either.<\/p>\n\n<p><a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1288115019431833602\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1288115019431833602\"><p>Remember my sandbox escape that Apple said doesn&rsquo;t have any actual security implications?<\/p><p>Well it has actual security implications.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/x.com\/thomasareed\/status\/1275494629505404928\">Thomas Reed<\/a>:<\/p>\n<blockquote cite=\"https:\/\/x.com\/thomasareed\/status\/1275494629505404928\"><p>Apple has done EXACTLY what I was hoping they would do to cope with the plague of adware installing malicious configuration profiles! In Big Sur, it will no longer be possible to install these profiles via the command line, or in any way without explicit user consent! &#x1F929;<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/04\/28\/mac-sandbox-escape-via-textedit\/\">Mac Sandbox Escape via TextEdit<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Vladimir Metnew (2020, tweet): Popular macOS apps with a file-sharing functionality didn&rsquo;t delegate file quarantine to OS leading to File Quarantine bypass (Windows MOTW analogue) for downloaded files.[&#8230;]Many popular products like Keybase, Slack, Skype, Signal, Telegram decided to fix the issue, but the vulnerability remains unfixed in file-syncing apps: Dropbox, OneDrive, Google Drive, etc.[&#8230;]Apple knows [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2025-02-17T13:55:44Z","apple_news_api_id":"09457cee-d7fa-4aa7-9204-6a07b803468b","apple_news_api_modified_at":"2025-02-17T13:55:44Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/ACUV87tf6SqeSBGoHuANGiw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[47,2518,465,1432,913,438,30,1666,1891,836,48,269],"class_list":["post-46763","post","type-post","status-publish","format-standard","hentry","category-technology","tag-dropbox","tag-entitlements","tag-gatekeeper","tag-google-drive","tag-icloud-drive","tag-launchservices","tag-mac","tag-macos-10-15","tag-macos-11-0","tag-onedrive","tag-security","tag-syncing"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46763","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=46763"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46763\/revisions"}],"predecessor-version":[{"id":46764,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/46763\/revisions\/46764"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=46763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=46763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=46763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}