Note: For additional information on the architecture of Gatekeeper, how it works, and conceptual descriptions of how adversaries bypass it, refer to our previous research: Gatekeeping in macOS: Keeping adversaries off our Apples.
Why do adversaries want to bypass Gatekeeper?
Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level security checks that Gatekeeper performs, but the objective remains the same: to execute untrusted code.
How do adversaries bypass Gatekeeper?
Since Gatekeeper relies on a separate feature called File Quarantine to identify the files that it will inspect, it makes sense to start this section with a brief explanation of File Quarantine and an examination of the ways that adversaries can circumvent it.
What is File Quarantine?
Our previous research includes a thorough examination of File Quarantine that we encourage you to read. In brief, it’s generally an opt-in security feature for applications like browsers, work management tools, and torrenting clients that applies a quarantine extended attribute to files downloaded by users of those applications. This file quarantine attribute signals Gatekeeper to inspect files marked with it. File Quarantine is essentially a macOS version of Mark-of-the-Web for Windows systems.
How do adversaries get around it?
LSFileQuarantineEnabled apps and/or binaries like
/usr/bin/wget are two examples of binaries that do not append the quarantine extended attribute to downloaded files. WindTail, “VPN Trojan” (Covid), oRAT, and ChromeLoader, just to name a few, have all been known to abuse
curl to sidestep File Quarantine.
An adversary could also target users of non-quarantine-aware applications to download content without the quarantine attribute and circumvent File Quarantine and Gatekeeper in the process. While possible, this is also complicated as the adversary would need to identify a non-quarantine-aware application being used by a victim and then socially engineer the victim into downloading a malicious file with that application. By contrast, utilities like
curl offer adversaries a seemingly normal and widely available mechanism for downloading files from the internet without the quarantine attribute.
What are some of Gatekeeper’s security checks?
The name of the game here is to trick macOS into launching an executable without first passing a full Gatekeeper check. Before we document existing methods of bypassing Gatekeeper, we should revisit some of the properties that Gatekeeper checks include:
- Gatekeeper arm status
- Gatekeeper security policy (Mac App Store, identified developers, etc)
- Gatekeeper exceptions list (GKE)
- Tamper exclusions list
- Ability to execute, open with launch services, or install
- App bundle
- UDIF disk image
- Bundle identifier and version (if applicable)
- File size
- Responsible file ID
- Quarantine status
- File system type
- Mount point and path
Notarization (stapled and remote tickets)
XProtect scan result
Defenders can also inspect many of the database tables the Gatekeeper creates and updates via
Documented Gatekeeper bypass methods
Gatekeeper is a large security control on macOS with responsibilities ranging from initiating XProtect scans, static analysis, code-signing/notarization validation, and now application bundle anti-tamper. There’s no surefire way to bypass Gatekeeper, and most methods involve use of an exploit or two. However, researchers have uncovered exploits with overlapping tradecraft:
- CVE-2022-42821, disclosed by Jonathan Bar Or: AppleDouble file format and restrictive Access Control Lists (ACL) represented in an extended attribute. This ACL disallowed the system from applying the quarantine extended attribute.
- CVE-2022-32910, disclosed by Ferdous Saljooki: Cleverly crafted ZIP archive that revealed a bug in the propagation of the quarantine extended attribute.
- CVE-2022-22616, disclosed by Ferdous Saljooki, Mickey Jin, and Jaron Bradley: Cleverly crafted ZIP archive that fundamentally revealed a bug in parsing BoM (Bill of Materials) files.
- CVE-2021-30658, disclosed by Wojciech Reguła: Enterprise cert-signed iOS app
- CVE-2021-1810, disclosed by Rasmus Sten: Directory/file path length.
- CVE-2021-30990, disclosed by Ron Masas: Generated an applet symlinking the Mach-O binary at
../Contents/MacOS/ to a local copy on the system.
Clever app bundles
Open Scripting Architecture (OSA)
- CVE-2021-30975, disclosed by Ryan Pickren: Cleverly crafted
- CVE-2021-30669: AppleScript – no further information provided
Miscellaneous impacted components: