MacOS Gatekeeper Achilles
Microsoft has released the details of a vulnerability dubbed Achilles, tracked as CVE-2022-42821, with a CVSS score of 5.5 found in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature.
The Apple Gatekeeper is designed to protect OS X users by performing several checks before allowing an App to run. For executing a code that wasn’t signed by an Apple developer, it doesn’t allow to run apps that weren’t downloaded from Apple’s store if the device is not jailbroken
The logic issue was discovered on July 27, 2022, that was addressed later by Apple with improved checks. Researchers explained that Gatekeeper bypasses can be used by threat actors to install malware on macOS systems.
One point to note is that the Lockdown Mode, a new extreme security feature Apple recently introduced to Apple users, isn’t effective against Achilles, which isn’t surprising because it’s designed to defend against zero-click remote code execution exploits.
The Achilles vulnerability relies on the Access Control Lists permission model to add extremely restrictive permissions to a downloaded file to block the Safari browser from setting the quarantine extended attribute.
Working PoC Procedure
- Create a fake directory structure with an arbitrary icon and payload.
- Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
- Create an archive with the application alongside its AppleDouble file and host it on a web server.
Apple rectified the Achilles security bug in macOS Ventura 13, macOS Big Sur 11.7.2 and macOS Monterey 12.6.2.
The threat landscape continues to evolve, new threats and attack capabilities will take advantage of unpatched vulnerabilities and misconfigurations as a vector to access systems and data. This is one of the example that shows fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks.