Bypass vulnerability discovered in MacOS X GateKeeper

News by Robert Abel

GateKeeper is a mechanism developed by Apple, which enforces code signing and verifies downloaded applications before allowing them to run on the system

Independent researcher Filippo Cavallarin discovered a GateKeeper Bypass vulnerability in Apple’s MacOS X that will allow threat actors to execute untrusted code without any warning or the user’s permission.

GateKeeper is a mechanism developed by Apple and is included in MacOSX which enforces code signing and verifies downloaded applications before allowing them to run on the system. 

Cavallarin said that because Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run and that by combining the design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behavior, according to a blog post on 24 May.  

The attack can be carried out by creating a zip file with a symlink to an automount endpoint then creating an application (.app folder) with the code you want to run. The attacker would then need to create a publicly accessible NFS share and put the .app in it, upload the zip somewhere online and download it so it gets the quarantine flag used by Gatekeeper, and extract the zip (if needed) and navigate it.

Apple has yet to release a patch for the vulnerability. The company has not responded to SC Media’s request for comment.  

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews