Cybersecurity researchers have discovered a new vulnerability in macOS which allowed threat actors to completely bypass native security solutions and execute an unsigned and unnotarized application without displaying security prompts.
Announcing the news in a blog post (opens in new tab), researchers from Jamf Threat Labs said they spotted the flaw in the macOS Archive Utility, the native macOS archiving application, similar to WinRAR and other archiving apps.
Abusing the flaw found in this app allows threat actors to circumvent Gatekeeper, and all other security checks.
Quarantining folders
Explaining the flaw, tracked as CVE-2022-32910, Jamf said it revolves around how macOS handles unarchiving files downloaded from the internet.
When a Mac user downloads an archive, it will receive an extended attribute title com.apple.quarantine, signaling to the OS that it was received from a remote location and should be analyzed. Everything that gets extracted will also receive the same quarantine attribute. Well – almost everything. In some cases, Archive Utility will create additional folders to avoid confusion:
“When it comes to application bundles — Gatekeeper only cares if the app directory itself has a quarantine attribute set and disregards recursive files within the app bundle. Therefore, we can bypass Gatekeeper by ensuring that our non-quarantined folder is an application,” the researchers explained.
“As mentioned, the folder name containing our unarchived files is controlled by the user because Archive Utility creates this folder based on the archive name without the extension. Therefore, we can name our archive something like test.app.aar so that when it is unarchived, it will have a folder name titled test.app. Within that app will be an expected application bundle holding the executable.”
For the flaw to be exploited, the archive name must include an .app extension, there should be at least two files or folders in the root of the target directory being archive, as this triggers the auto-renaming of the temporary directory, and only the files and folders within the app should be archive, excluding the test.app directory.
Jamf says that after disclosing it to Apple, the company patched the issue in July 2022, so users are advised to update as soon as possible.
