MacOS Gatekeeper Achilles

Microsoft has released the details of a vulnerability dubbed Achilles, tracked as CVE-2022-42821, with a CVSS score of 5.5 found in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.

The Apple Gatekeeper is designed to protect OS X users by performing several checks before allowing an App to run. For executing a code that wasn’t signed by an Apple developer, it doesn’t allow to run apps that weren’t downloaded from Apple’s store if the device is not jailbroken

Advertisements

The logic issue was discovered on July 27, 2022, that was addressed later by Apple with improved checks. Researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.

One point to note is that the Lockdown Mode, a new extreme security feature Apple recently introduced to Apple users, isn’t effective against Achilles, which isn’t surprising because it’s designed to defend against zero-click remote code execution exploits.

The Achilles vulnerability relies on the Access Control Lists permission model to add extremely restrictive permissions to a downloaded file to block the Safari browser from setting the quarantine extended attribute.

Working PoC Procedure

Create a fake directory structure with an arbitrary icon and payload.
Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
Create an archive with the application alongside its AppleDouble file and host it on a web server.