module
macOS Gatekeeper check bypass
| Disclosed | Created |
|---|---|
| 2021-03-25 | 2021-05-07 |
Disclosed
2021-03-25
Created
2021-05-07
Description
This module exploits two CVEs that bypass Gatekeeper.
For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no
Info.plist, which bypasses gatekeeper in macOS
If the user visits the site on Safari, the zip file is automatically extracted,
and clicking on the downloaded file will automatically launch the payload.
If the user visits the site in another browser, the user must click once to unzip
the app, and click again in order to execute the payload.
For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing
to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,
Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.
Because of this, the file will not require quarantining, bypassing Gatekeeper on
MacOS versions below 12.3.
For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no
Info.plist, which bypasses gatekeeper in macOS
If the user visits the site on Safari, the zip file is automatically extracted,
and clicking on the downloaded file will automatically launch the payload.
If the user visits the site in another browser, the user must click once to unzip
the app, and click again in order to execute the payload.
For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing
to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,
Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.
Because of this, the file will not require quarantining, bypassing Gatekeeper on
MacOS versions below 12.3.
Authors
Cedric Owens
timwr
Ferdous Saljooki
Jaron Bradley
Mickey Jin
Shelby Pace
timwr
Ferdous Saljooki
Jaron Bradley
Mickey Jin
Shelby Pace
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.