Apple fixes macOS security flaw behind Gatekeeper bypass

guest · Dec 23, 2021

CVE-2021-30853 allowed attackers to bypass: Gatekeeper, Notarization, Quarantine
December 23, 2021

Apple has addressed a macOS vulnerability that unsigned and unnotarized script-based apps could exploit to bypass all macOS security protection mechanisms even on fully patched systems.
Gatekeeper bypass with a shebang
The CVE-2021-30853 Gatekeeper bypass bug was discovered and reported to Apple by Box Offensive Security Engineer Gordon Long.

He found that specially-crafted script-based applications downloaded from the Internet would launch without showing an alert even though automatically quarantined.
Click to expand...

The "specially-crafted" part requires creating an app that uses a script starting with a shebang (!#) character but leaving the rest of the line empty, which tells the Unix shell to run the script without specifying a shell command interpreter.
This leads to a Gatekeeper bypass [...]

As revealed by Wardle, threat actors can exploit this flaw by tricking their targets into opening a malicious app that can also be camouflaged as a benign-looking PDF document.
Basically, if the script used a shebang (!#) but did not explicitly specify an interpreter, it would bypass Gatekeeper security checks.
Click to expand...

Objective-See (Patrick Wardle): Where's the Interpreter!? (CVE-2021-30853)

bypassing file quarantine, gatekeeper, & notarization requirements ...again!
In Summary
Well, we covered a lot, so let’s end by succinctly summarizing the bug:

When a script-based application with no specified interpreter is launched, execution initially fails with ENOEXEC. This causes the script to be (re)executed via /bin/sh.

As /bin/sh is a Mach-O (not a script), no script labels are set. Thus the script is never evaluated (nor blocked) by syspolicyd.
The policy engine just sees /bin/sh (a trusted platform binary), and thus allows it to execute. Of course /bin/sh then executes the PoC script.

End result? Though the PoC’s script is unsigned and not notarized, it is allowed to execute! #gameover
Click to expand...

Rasheed187 · Dec 25, 2021

mood said: ↑

CVE-2021-30853 allowed attackers to bypass: Gatekeeper, Notarization, Quarantine
December 23, 2021
Objective-See (Patrick Wardle): Where's the Interpreter!? (CVE-2021-30853)
Click to expand...

Wow, seems to be quite a complex exploit. But seems to be strictly a Gatekeeper bypass, in practice this malware would also need to bypass XProtect, but from what I've read this is not that hard.

Rasheed187 · Dec 24, 2022

Nothing ground breaking and it has already been patched, but it's yet another Gatekeeper bypass. Because of this macOS bug, Gatekeeper wouldn't alert about possible malware.

Microsoft reports macOS Gatekeeper has an 'Achilles' heel

Security researchers at Microsoft have discovered a bug in macOS that lets malicious apps bypass Apple's Gatekeeper security software "for initial access by malware and other threats."

Dubbed "Achilles," (which sounds sexier than CVE-2022-42821) Microsoft researchers said the vulnerability was discovered in late July, and quickly patched by Apple in all affected versions of its OSes after the team followed responsible disclosure.
Click to expand...

https://www.theregister.com/2022/12/20/macos_gatekeeper_flaw_microsoft/

Log in or Sign up

Apple fixes macOS security flaw behind Gatekeeper bypass

guest Guest

Rasheed187 Registered Member

Rasheed187 Registered Member

Log in or Sign up

Apple fixes macOS security flaw behind Gatekeeper bypass

guest Guest

Rasheed187 Registered Member

Rasheed187 Registered Member

Useful Searches