When Archive Utility unarchives this file, we see two noticeable differences: Archive Utility has a minimal user interface and is located at: /System/Library/CoreServices/Applications/Archive Utility.app Users can also create archives by right-clicking files or folders within Finder and selecting Compress. Apple provides a built-in archiving tool called Archive Utility which allows users to create and extract supported archives. Archive UtilityĪrchives are commonly used to compress and store files making it easier to share multiple files across devices. Instead, it is a vulnerability within the operation of Archive Utility which handles ZIP files (and many other archives) by default, when they are double-clicked. aa archive -d test.app/Contents -o ĭespite the fact that this command looks somewhat similar to the ZIP command that could previously be used to abuse CVE-2022-22616, this vulnerability is different in that it doesn’t involve the BoM at all. This brought us to the testing of the macOS Archive Utility, where we discovered that creating an Apple Archive with a similar command will also result in bypassing Gatekeeper and all security checks upon execution. At a low level, this vulnerability existed within the parsing of the Bill of Materials (BoM) when an application was placed within a zip file using a syntax like the following: zip -r test.app/Contents test.zipĪfter reporting the issue to Apple, we began to research other archiving features that might suffer from similar issues. Initial discoveryĮarlier this year, Jamf Threat Labs identified a vulnerability in the Safari Web Browser that could bypass Gatekeeper checks by leveraging a crafted ZIP archive ( CVE-2022-22616). Research led by Ferdous Saljooki, Detections Developer II, Jamf. We reported our findings to Apple on May 31, 2022, and in macOS Monterey 12.5 Apple patched the vulnerability, assigning it CVE-2022-32910. Jamf Threat Labs recently discovered a new macOS vulnerability in Archive Utility that could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive.
0 Comments
Leave a Reply. |