Bundles of Joy: Breaking MacOS via Subverted Applications Bundles

Cite

DEF CON

Wardle, Patrick

Formal Metadata

Title

Bundles of Joy: Breaking MacOS via Subverted Applications Bundles

Title of Series

DEF CON 29

Number of Parts

Author

Wardle, Patrick

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/54226 (DOI)

Publisher

DEF CON

Release Date

2021

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

A recent vulnerability, CVE-2021-30657, neatly bypassed a myriad of foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization. Armed with this capability attackers could (and were!) hacking macOS systems with a simple user (double)-click. Yikes! In this presentation we’ll dig deep into the bowels of macOS to uncover the root cause of the bug: a subtle logic flaw in the complex and undocumented policy subsystem. Moreover, we’ll highlight the discovery of malware exploiting this bug as an 0day, reversing Apple’s patch, and discuss novel methods of both detection and prevention. REFERENCES: “All Your Macs Are Belong To Us” https://objective-see.com/blog/blog_0x64.html “macOS Gatekeeper Bypass (2021 Edition)” https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508 “Shlayer Malware Abusing Gatekeeper Bypass On Macos” https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/