Microsoft has gone public with an analysis of a Mac OS Gatekeeper bug called Achilles, discovered in July, following Apple’s patch releases last week.
The beetle, CVE-2022-42821exists in macOS Monterey, Big Sur and Ventura and allows an app to bypass gatekeeper checks.
Gatekeeper checks apps that users download from the Internet. If the app is signed by Apple, the user will be prompted to confirm that they want to launch it; If not, the app is not trusted and execution is denied.
Microsoft threat researcher Jonathan Bar Or discovered that an attacker could use Mac OS access control lists (ACLs) to bypass Gatekeeper.
ACLs give files and directories finer-grained permissions management than the permissions model mac OS inherited from its Unix roots.
Bar Or discovered a logic error when applying ACLs to files. It prevents browsers and downloaders from setting the attribute (com.apple.quarantine) that warns Gatekeeper that a file is not trusted.
Bar Or describe the following proof-of-concept for bypassing Gatekeeper:
- “Create a fake directory structure with any icon and payload.
- Create an AppleDouble file with the extended attribute key com.apple.acl.text and a value representing a restrictive ACL (we chose the equivalent of “any deny write,writeattr,writeextattr,writesecurity,chown”). Do the correct AppleDouble patching if you use ditto to generate the AppleDouble file.
- Create an archive with the application along with its AppleDouble file and host it on a web server.”
The fixes are in macOS Big Sur 11.7.2, Monterey 12.6.2and ventura 13.
