Apple has fixed the critical bypass Gatekeeper vulnerability detected and reported by Microsoft researchers. At the time of writing the article, the vulnerability was fixed in the Big Sur, Monterey, and Ventura versions of the macOS.
A day ago, a team of researchers from Microsoft created a proof of concept called Achilles, which managed to bypass Apple’s Gatekeeper mechanism. Even though the vulnerability CVE-2022-42821 was patched on all macOS versions much earlier, the loophole in the Gatekeeper could still have been exploited.
The researchers also highlighted the additional security feature ‘lockdown mode’ in all the macOS Ventura that could not stop Achilles. Hence, users have been advised to update their software despite the lockdown mode being on.
The lockdown mode was made as a defense against zero-click remote code execution. The vulnerability CVE-2022-42821 was discovered on 27 July 2022 by Microsoft and examined by creating a proof-of-concept exploit by their team. It was patched by the company in July.
The Gatekeeper
Gatekeeper was put in place to create application execution restrictions that stopped malicious apps from running on the device that was not from Apple’s marked trusted sources.
Gatekeeper bypass, the researchers argued, allowed for initial access using malware, leading to unnumbered exploitation. It was designed to keep users from inadvertently downloading a malware-infected app or file circulated by cyber attackers. However, it can be bypassed.
Firstly, the infected app or file would reach the security mechanism of the browser called com.apple.quarantine. It gives a special extended attribute to all the newly downloaded items, and those that are not signed and notarized by Apple are not permitted to be used. The extended attributes can be checked with the xattr command line utility.
The following images show the gatekeeper adding the flag value 0083 and quarantining a suspicious file:
The researchers observed two main methods of bypassing the Gatekeeper; by misusing the com.apple.quarantine extended attribute and exploiting a bug in the components that perform policy checks on the held back or quarantined files.
The exploited vulnerabilities:
Researchers also managed to manipulate the AppleDouble mechanism after seeing that attributes can be restored fully when files are archived with the original one and extracted by macOS. Apple created AppleSingle and AppleDouble in 1994 to combat the difficulty of copying files with their metadata. Apple single is a binary that marks only a single file while processing whereas AppleDouble adds metadata in a different file with a “.” prefix.
The image showing the Ditto utility and the AppleDouble file “._somefile”
Microsoft used the ditto utility to read the AppleDouble binary file that is parsed in the XNU git repository. They created several large extended attributes that would take up enough space to demonstrate that com.apple.quarantine can no longer be assigned. AppleDouble got ignored when the attribute size was made over 2 GB.
The archiving was hampered and upon observing the copyfile_unpack implementation, another special extended attribute was found. It was called com.appl.acl.text which got saved in the XATTR_SECURITY_NAME. This could be used to run arbitrary access control lists.
Also, access control lists (ACLs) that restrict permissions were also manipulated to test their efficiency. It was found that by using the chmod utility, ACLs can be accessed with the ‘ls utility’. They added very restrictive ACLs to the downloaded files and found that browsers were stopped from assigning the com.apple.quarantine attribute.
