‘Achilles’ vulnerability exploit bypasses macOS Gatekeeper

Microsoft researchers discovered a vulnerability dubbed “Achilles” in macOS that could allow attackers to bypass Apple’s Gatekeeper security feature designed to ensure that only trusted software runs on your Mac.

After Microsoft disclosed the Achilles vulnerability (CVE-2022-42821) on July 27, 2022, Apple quickly patched the flaw as part of new macOS Ventura 13 release, macOS Monterey 12.6.2, and macOS Big Sur 11.7.2. The latter two were included as part of Apples latest security updates released on December 13, 2022.

“We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call ‘Achilles’. Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Jonathan Bar Or from Microsoft’s 365 Defender Research Team wrote in a blog post.

Apple more recently added security enhancements to Gatekeeper such as blocking apps that are not properly signed or checking the integrity of notarized apps (not just quarantined apps). Gatekeeper thus helps prevent the unauthorized changes to apps by hackers.

Moreover, when users download a validly signed and notarized app to their mac, they are prompted for their consent before launching the app. Otherwise, users are informed the app is not trusted.

Previous Gatekeeper bypasses

Readers may recall last year when researchers discovered a mac-based malware Shlayer that bypassed Gatekeeper and other macOS built-in protections to include Notarization and File Quarantine.

The Jamf security team found that attackers were using an exploit in the wild since January 9, 2021 via a variant of the Shlayer adware dropper. This variant was very similar to a previous sample discovered by Intego security. However, the newer Shlayer malware was re-packaged at that time to abuse the Gatekeeper bypass vulnerability CVE-2021-30657 (patched by Apple in April 2021). 

On March 14, 2022, Apple also patched a BOM vulnerability (CVE-2022-22616) in multiple versions of macOS as part of March 2022 security updates. This flaw could allow a maliciously crafted ZIP archive to bypass Gatekeeper checks.

Achilles POC

After discovering a mechanism AppleDouble coupled with leveraging ACLs, Microsoft was able to perform a proof of concept (POC) illustrating how to exploit the Achilles vulnerability.

“After some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble,” Microsoft noted.

Microsoft listed the following POC steps to pull off the exploit:

  1. Create a fake directory structure with an arbitrary icon and payload.
  2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (Microsoft picked the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
  3. Create an archive with the application alongside its AppleDouble file and host it on a web server.

Microsoft also provided a video demonstrating how the Achilles exploit could use ACLs to bypass Apple’s Gatekeeper security feature.

Related Articles