Microsoft says it has uncovered a vulnerability in macOS that could allow attackers to bypass restrictions imposed by Apple’s Gatekeeper security mechanism, which is designed to ensure that only trusted apps run on the company’s devices.
According to Microsoft’s Security Threat Intelligence team, the vulnerability, it calls Achilles, could allow attackers to bypass Gatekeeper and use it as a vector of initial access by malware and other threats to help increase the success rate of malicious campaigns and attacks on macOS.
Apple addressed the CVE-2022-42821 issue in several macOS products after Microsoft shared the vulnerability with the company in July, but Microsoft notes that Apple’s Lockdown Mode in macOS Ventura does not defend against Achilles since it only protects against zero-click remote code execution exploits.
In a blog, Microsoft says many macOS infections are due to users running malware inadvertently as a result of fake app bundles that masquerade as different apps or legitimate files. To combat that infection vector, Apple uses security mechanisms when downloading apps from a browser that assigns a special extended attribute to the extended file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper or other mitigations designed to prevent sandbox escapes.
Apple, in recent years, has improved its security policies with the current Gatekeeper design prompting users to give their consent is the app is validly approved by Apple or preventing the app from running.
Microsoft says extended attributes are a filesystem feature supported on common macOS filesystems, such as AFPS and HFS+, and their main purpose is to save file metadata.
While Gatekeeper is a helpful security feature that is effective at blocking untrusted downloaded files and apps, there have been numerous bypass techniques targeting the feature in the past, Microsoft says. Doing so could hare “dire implications” as malware authors sometimes leverage those techniques for initial access.
In fact, Microsoft calls out two Gatekeeper bypass approaches observed in recent years, including misusing the com.apple.quarantine extended attribute assignment and finding a vulnerability in the components that enforce policy checks on quarantined files.
Microsoft lists six total Gatekeeper bypass bugs discovered over the last several years, including one, CVE-2021-1810, which intrigued researchers and got them thinking about what mechanism could be leveraged in archives. That vulnerability exploits assignment of the quarantine attribute, so paths longer than 886 characters were not assigned extended attributes.
“Therefore, creating a symbolic link that points to an app that resides in a long path results in a Gatekeeper bypass,” Microsoft researchers say.
With symbolic links not assigned quarantine attributes, it was possible to completely bypass Gatekeeper.
With that knowledge, Microsoft researchers began looking for a mechanism that could persist different kinds of metadata over archives. They eventually discovered a way to persist important file metadata through AppleDouble. Microsoft describes the mechanism as such:
Even though extended attributes are common on different filesystems, they might be implemented differently or even not supported, so copying files with their metadata becomes a challenging task. To solve this problem, back in 1994, Apple introduced the concept of AppleSingle and AppleDouble formats. In a nutshell, AppleSingle is a binary blob that is added as a part of the original file contents so that there’s only a “single” file to process, whereas AppleDouble saves the metadata in a different file side-by-side next to the original file, with a “._” prefix.
Researchers began looking into how they could use AppleDouble to trick Gatekeeper, which narrowed in on using Access Control Lists (ACLs), a mechanism in macOS that extends the traditional permission model and allow fine-grained permissions to files and directories. That includes controlling the ability to write attributes and extended attributes to the file, as well as setting ACLs to the file, and more.
Researchers began adding very restrictive ACLs to downloaded files, which prohibited Safari or other programs from setting new extended attributes, including the com.apple.quarantine attribute.
Microsoft describes the exploitation steps as follows:
- Create a fake directory structure with an arbitrary icon and payload.
- Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
- Create an archive with the application alongside its AppleDouble file and host it on a web server.
Fake apps are still one of the top entry vectors on macOS, and Gatekeeper bypasses are a useful tool used by attackers, Microsoft researchers say.
“Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues—regardless of the platform or device in use,” the company says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply