module
macOS Gatekeeper check bypass
| Disclosed | Created |
|---|---|
| 03/25/2021 | 05/07/2021 |
Disclosed
03/25/2021
Created
05/07/2021
Description
This module exploits two CVEs that bypass Gatekeeper.
For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no
Info.plist, which bypasses gatekeeper in macOS
If the user visits the site on Safari, the zip file is automatically extracted,
and clicking on the downloaded file will automatically launch the payload.
If the user visits the site in another browser, the user must click once to unzip
the app, and click again in order to execute the payload.
For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing
to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,
Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.
Because of this, the file will not require quarantining, bypassing Gatekeeper on
MacOS versions below 12.3.
For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no
Info.plist, which bypasses gatekeeper in macOS
If the user visits the site on Safari, the zip file is automatically extracted,
and clicking on the downloaded file will automatically launch the payload.
If the user visits the site in another browser, the user must click once to unzip
the app, and click again in order to execute the payload.
For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing
to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari,
Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute.
Because of this, the file will not require quarantining, bypassing Gatekeeper on
MacOS versions below 12.3.
Authors
Cedric OwenstimwrFerdous SaljookiJaron BradleyMickey JinShelby Pace
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/osx/browser/osx_gatekeeper_bypass
msf /(s) > show actions
...actions...
msf /(s) > set ACTION < action-name >
msf /(s) > show options
...show and set options...
msf /(s) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.