Earlier this year I discovered the wild world of iOS and macOS security.
One of the OBTS conference talks just showed up on my Twitter feed, needless to say, I was hooked.
The majority of my career has been focusing on developing and hacking web applications, so as you could imagine I have a lot to learn. This is not going to be a super in-depth write-up, as frankly, I don't currently have the technical skill to truly produce one in a reasonable amount of time - with all of this said, let's get to it!
GateKeeper is essentially a series of steps macOS enforces before running a program. The main goal of those steps is to prevent/make it harder for users to infect themselves with malware.
The bug I've found allowed me to bypass all of those steps, taking your macOS system back to 2006 😉.
Upon clicking the downloaded application (which can be masked as an image or a pdf.) the program would immediately execute, no questions asked.
I've started digging into the application structure, playing with the info.plist and document.wflow files with no much progress.
I was curious about the MacOs binary Automator Application Stub, so I created another application and replaced it's binary with my previous application. I've run my app and it executed just fine confirming that the Automator binaries are interchangeable, they are simply executing the instructions on the document.wflow file.
With the realization that the binaries are interchangeable, and that the code executes from the relative document.wflow file, I asked myself the following question, a question that, believe it or not, helped me find dozens of bugs.
What if I put a symlink there?
Turns out the answer to this question is, the application would execute normally. Even with the quarantine attribute, even if it's unsigned.
This means that if an attacker would know the absolute path to a copy of the Automator Application Stub binary on your system, he could craft an application that may bypass all of the Gatekeeper checks.
At this point I thought to myself, this is cool and all, but it would be awesome if a copy of Automator Application Stub would be shipped with macOS at a constant path.
A few find commands later I found that In Big Sur and Monterey, a copy of Automator Application Stub binary can be found at:
/System/Library/CoreServices/Automator Application Stub.app/Contents/MacOS/Automator Application Stub
Making them vulnerable by default.
Contents/MacOSfolder of your app.
rm "Automator Application Stub" ln -s "/System/Library/CoreServices/Automator Application Stub.app/Contents/MacOS/Automator Application Stub" "Automator Application Stub"
You can download my proof of concept here
I think this vulnerability demonstrates you don't have to be a macOS expert to find bugs. Please don't forget update your macOS systems to Monterey 12.1.