Microsoft shares details of a Gatekeeper Bypass flaw in Apple macOSSecurity Affairs
Microsoft disclosed technical details about a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper.
Microsoft has disclosed details of a now-fixed security vulnerability called Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that can be exploited by threat actors to bypass the Gatekeeper security feature.
Apple Gatekeeper is designed to protect OS X users by performing a series of checks before allowing an app to run. In fact, you won’t be able to run code that isn’t signed by an Apple developer, you won’t be able to run apps that weren’t downloaded from Apple’s store if your device isn’t jailbroken of course.
The bug was discovered on July 27, 2022 by Jonathan Bar Eller of Microsoft, it’s a logic issue that was fixed with improved controls.
“On July 27, 2022, Microsoft discovered a vulnerability in macOS that could allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure that only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”. reads the post published by Microsoft.
Microsoft researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.
The experts pointed out that Apple’s Lockdown Mode introduced in July does not prevent the exploitation of the Achilles flaw.
The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (ie “all deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from set the quarantine extended attribute.
Below is the POC developed by Microsoft:
- Create a fake directory structure with an arbitrary icon and payload.
- Create an AppleDouble file with com.apple.acl.text extended attribute key and a value representing a restrictive ACL (we chose the corresponding “all refuse to write,writeattr,writeextattr,writesecurity,chown“). Perform proper AppleDouble patching if using ditto to generate the AppleDouble file.
- Create an archive of the application alongside the AppleDouble file and host it on a web server.
while video POC is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security matters – hacking, gatekeeper)