Apple Gatekeeper Bypass

Two ways we can use to deliver malware on macOS silently

INTRO

I tested different things while learning how Apple macOS protects us from malware infections, and I mainly focused on the Quarantine attribute on which Gatekeeper relies. The article with my notes you can find here:

Snake&Apple VII — Antivirus

In short, the idea of Gatekeeper is to block any 3rd party app downloaded from the network on the first launch. For instance, if we download the Grammarly app and then open it, we may see the below warning window:

I researched different methods to deliver malware to macOS users and found two vulnerable avenues where the security window is not shown to us on app launch.

USB flash drive bypass

The quarantine attribute is not set for files transferred from a Pendrive, so a Gatekeeper check is not enforced on these files, which allows for running unsigned and unnotarized software. This is shown in the below recording:

The recording shows a main screen captured from my MacBook and the nested Mac Mini screen connected to it using the Screen Sharing feature.

Below, I also share step-by-step Proof of Concept to recreate it in the home lab.

Proof of Concept

To recreate the issue, we need two devices with macOS Sonoma (I tested it on version 14.5 23F79), one USB flash drive, and a simple “malware” app:

// clang -o hello hello.c
#include <stdio.h>

int main() {
    printf("Hello SIMPLE!!\n");
    return 0;
}

Below is a step-by-step guide, the same as shown in the recording above:

1. Compile the app on the MacBook.
2. Plug the USB flash drive into the MacBook.
3. Drag&drop the executable to a USB flash drive from the MacBook.
4. Unplug the flash drive from the MacBook.
5. Connect it to the MacMini.
6. Drag&drop the executable to MacMini.
7. Double-click on the executable on MacMini.
8. Observe it executes without any security window.
9. Observe the app does not have a quarantine attribute set:

xattr -l hello

Expected results

Files transferred from external resources (a USB flash drive in this case) should have a quarantine attribute set.

Actual results

Files transferred from external resources (a USB flash drive in this case) have no quarantine attribute set.

Reporting

The first bypass using a USB flash drive was reported on 17/06/2024:

After a few exchanged messages with Product Security, I gave up on trying to convince them to patch the issue. This was the final message I received:

The first bypass is not risky because if we deliver the USB flash drive to the victim and convince them to plug it in, we can do much worse.

Still, the root cause of the problem here is the logic handling the mounted drives, such as Pendrives, when plugged in, but also… Network Shares!

Network Shares bypass

The quarantine is not set for files transferred from Network Shares, so a Gatekeeper check is not enforced on these files, which allows for running unsigned and unnotarized software. This is shown in the below recording:

The recording shows a screen from my MacBook, which connects to the WebDAV hosted by the MacMini. We could also mount a MacMini drive instead of using WebDAV to host the file. The second PoC is shown below:

The Proof of Concept below describes the screenshot above, not the recording.

Proof of Concept

We need two devices with macOS Sonoma (I tested it on version 14.5 23F79) and a simple “malware” app to recreate the issue. For recorded PoC, we need just one macOS device and any other to host the malware on WebDAV:

# Starting webdav
wsgidav --host 0.0.0.0 --port 80 --auth anonymous --root .

Here are the steps for Proof of Concept from the screenshot regarding the white numbers in red circles pointed out in the image:

1. The app is prepared on the MacMini.
2. MacMini sharing settings are turned on for File Sharing.
3. Connecting from MacBook to MacMini.
4. The app is shared via mounted network volume.
5. X permissions + lack of quarantine attribute on the mounted volume.
6. Drag&Dropped it to my MacBook Desktop.
7. Again, lack of quarantine attribute and X permissions.

Expected results

Files transferred from external resources (a mounted Network drive in this case) should have a quarantine attribute set and X permissions stripped.

Actual results

Files transferred from external resources (a mounted Network drive in this case) have no quarantine attribute set X permissions are not stripped.

Reporting

The second bypass using a Network Share was reported on 17/06/2024, in the same report with the USB Flash Drive bypass, but using the Proof of Concept presented on the screenshot. However, I was left without any comment on the second bypass, so I reported it again on 19/08/2024:

I was sure this issue would be patched, as Network Shares are commonly used in many companies. Yet, Apple thinks otherwise:

Even if Apple Product Security does not see “security implications” here and the issue was closed as expected, we may not see this behavior in the future, as it was forwarded to software engineers unrelated to security to be patched.

FINAL WORDS

Understandably, Apple does not bother with Pendrive bypass. However, I'm afraid I have to disagree with Product Security’s statement that the Network Shares Bypass is not a security issue. Moreover, a similar bug was reported to Microsoft last month as a Mark of the web protection bypass:

Zero Day Initiative - CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections

The Mark of the Web (MOTW) is the Windows equivalent of Quarantine. In the above article, we can observe a video PoC similar to the one I recorded.

Silent patches are not cool.