Apple disclosed that unsigned and unnotarized script-based programs might exploit a macOS vulnerability to circumvent all macOS security protection methods, even on fully patched Macs. Gatekeeper, a macOS security feature that verifies if downloaded programs are notarized and developer-signed, allows them to run if they avoid automatic notarization security checks (which search for harmful components and code-signing concerns).
Attackers can employ malicious script-based apps that target the bypass weakness (CVE-2021-30853) to download and distribute second-stage malicious payloads once they’ve been installed on a target’s PC. In September 2021, Apple published a security update for macOS 11.6 that added enhanced checks to address this vulnerability.
Box Offensive Security Engineer Gordon Long found and reported the CVE-2021-30853 Gatekeeper bypass problem to Apple. Even though they were immediately quarantined, he discovered that specially constructed script-based apps obtained from the Internet might start without displaying an alert.
The “specially-crafted” component entails writing an app that employs a script beginning with a shebang (!#) character and ends with an empty line, instructing the Unix shell to run the script without providing a shell command interpreter.
The syspolicyd daemon, typically summoned by the AppleSystemPolicy kernel extension to execute security checks (notarization and signing), is no longer triggered for inspection when starting a script without an interpreter, resulting in a Gatekeeper bypass. Essentially, if a script employed a shebang (!#) but did not explicitly identify an interpreter, Gatekeeper security tests would be bypassed.
“The syspolicyd daemon will perform various policy checks and ultimately prevent the execution of untrusted applications, such as those that are unsigned or unnotarized,” explained security analyst Patrick Wardle.
“But, what if the AppleSystemPolicy kext decides that the syspolicyd daemon does not need to be invoked? Well then, the process is allowed! And if this decision is made incorrectly, well then, you have a lovely File Quarantine, Gatekeeper, and notarization bypass.”
According to Wardle, threat actors can take advantage of this issue by convincing their victims to open malicious software disguised as a benign-looking PDF document. Such fraudulent payloads can be delivered to victims’ computers in various ways, including poisoned search results, false upgrades, and trojanized apps downloaded through websites linking to unlicensed software.