A PoC exploit for a macOS Gatekeeper bypass flaw tracked as CVE-2021-1810 has been released for all and is now being exploited in the wild.

What's the threat?

The flaw can be exploited to bypass the three protections file quarantine; Gatekeeper; and notarization, in macOS.
  • Researchers found the flaw in the Archive Utility component of macOS Catalina and Big Sur.
  • To successfully exploit CVE-2021-1810, an attacker needs to convince the targeted victims into downloading and executing an executable archive code.
  • The vulnerability exploits the way in which Archive Utility handles file paths in MacOS systems.

Here’s how it works

By exploiting the vulnerability, it is possible to bypass Gatekeeper security mechanism that prevents the download of malicious files. 
  • It happens due to the way the Archive Utility manages file paths of length larger than 886 characters.
  • When the path length is long enough, Safari calls the Archive Utility but does not implement the quarantine-related process (com[.]apple[.]quarantine attribute), allowing the attacker to bypass the Gatekeeper security.
  • Accordion to researchers, it was possible to execute unsigned binaries on macOS despite Gatekeeper enforcement of code signatures, allowing a hacker to run a custom implant on such systems.

To make the campaign more convincing, the archive folder structure can be hidden with a symbolic link in the root, making it look almost identical to a single app bundle in the archive root.

Conclusion

The recent PoC provides insights into the ways attackers can target and evade the native security of macOS. Moreover, it shows the consequences of not applying security patches and updates as soon as they are released. The vulnerability is fixed in macOS Big Sur 11.3 and Security Update 2021-002.
Cyware Publisher

Publisher

Cyware