More Details of macOS Archive Utility Flaw Emerge
Now that Apple has addressed a vulnerability in its macOS Archive Utility that could run malicious apps around Apple security, security researchers have released additional details about the flaw.
The vulnerability, designated CVE-2022-32910, “could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive,” said Jamf Threat Labs researchers. The researchers added that Apple’s much-vaunted Gatekeeper security technology was no match for the bug under the right circumstances.
“The Gatekeeper functionality in Apple’s macOS is there to provide an added layer of security, so any vulnerability that can bypass it is problematic,” said Mike Parkin, senior technical engineer at Vulcan Cyber.
Because the Archive Utility does not tag files with a “com.apple.quarantine” attribute, Gatekeeper would not check those files.
Jamf researchers “identified a vulnerability in the Safari Web Browser that could bypass Gatekeeper checks by leveraging a crafted ZIP archive (CVE-2022-22616)” earlier this year. “At a low level, this vulnerability existed within the parsing of the bill of materials (BoM) when an application was placed within a zip file using a syntax” like zip -r test.app/Contents test.zip. That prompted the team to look into “other archiving features that might suffer from similar issues,” the researchers wrote in a blog post.
“This brought us to the testing of the macOS Archive Utility, where we discovered that creating an Apple Archive with a similar command will also result in bypassing Gatekeeper and all security checks upon execution,” the researchers said.
“As we learned from CVE-2022-22616—when it comes to application bundles, Gatekeeper only cares if the app directory itself has a quarantine attribute set and disregards recursive files within the app bundle,” researchers noted. To exploit this latest flaw, they proved they could bypass Gatekeeper by ensuring their non-quarantined folder, which they named myPictures, was an application.
Researchers noted the following conditions are needed for the flaw to be exploited:
- The archive name must include an .app extension (i.e., test.app.aar).
- There should be two or more files or folders in the root of the target directory being archived (i.e.,test.app/ and test.app/). This causes the auto-renaming of the temporary directory as described in the vulnerability section.
- Only the files and folders within the app should be archived, excluding the test.app directory.
“While this vulnerability would still require an attacker to get their target to download the payload and launch it locally, the problem shouldn’t be discounted,” said Parkin. “Fortunately, Apple has already issued a patch and there’s no indication either of the related vulnerabilities were exploited in the wild.”
A vulnerability “that bypasses security checks and enables malicious applications to run is, by definition, high severity; coupled with a commonly used function (compression/decompression) it is also high impact,” said Bud Broomhead, CEO at Viakoo.
“Apple’s taken a good first step in patching this vulnerability, but the question remains why all new files and applications would not be subjected to security scans and analysis (i.e. these scans should never be bypassed),” Broomhead said.
“This form of attack vector (enabling malicious apps to run after bypassing security checks) will remain a focus for threat actors,” Broomhead said, meaning that “Apple should consider additional forms of quarantine, such as the app having to run in a test mode first before being directly accessed to address this type of vulnerability.”
