logo

Bundles of Joy: Breaking macOS via Subverted Applications Bundles

Conference:  Defcon 29

2021-08-01

Summary

The presentation discusses a vulnerability in Mac OS that allows unsigned applications to bypass file quarantine, gatekeeper, and notarization checks. The flaw is triggered by a bare-boned application missing an info.plist file and with a script-based executable component.
  • The speaker triaged the vulnerability by running three different types of unsigned applications and looking at the log messages to see if there was a divergence that would point to the binary or executable component where the flaw lay.
  • The flaw was ultimately triggered by a bare-boned application missing an info.plist file and with a script-based executable component.
  • The speaker enabled private full logging by installing a profile to tell the operating system to log everything.
  • The vulnerability was caused by the absence of an info.plist file and the use of a script-based executable component.
  • The anecdote shared was about a proof of concept application that was able to bypass all of Apple's security mechanisms despite being unsigned and from the internet.
The speaker shared an anecdote about a proof of concept application that was able to bypass all of Apple's security mechanisms despite being unsigned and from the internet. The application was missing an info.plist file and had a script-based executable component. The speaker triaged the vulnerability by running three different types of unsigned applications and looking at the log messages to see if there was a divergence that would point to the binary or executable component where the flaw lay. The vulnerability was ultimately caused by the absence of an info.plist file and the use of a script-based executable component.

Abstract

A recent vulnerability, CVE-2021-30657, neatly bypassed a myriad of foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization. Armed with this capability attackers could (and were!) hacking macOS systems with a simple user (double)-click. Yikes! In this presentation we’ll dig deep into the bowels of macOS to uncover the root cause of the bug: a subtle logic flaw in the complex and undocumented policy subsystem. Moreover, we’ll highlight the discovery of malware exploiting this bug as an 0day, reversing Apple’s patch, and discuss novel methods of both detection and prevention. REFERENCES: “All Your Macs Are Belong To Us” https://objective-see.com/blog/blog_0x64.html “macOS Gatekeeper Bypass (2021 Edition)” https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 “Shlayer Malware Abusing Gatekeeper Bypass On Macos” https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/

Materials:

Tags:

Post a comment

Related work