Published: 08/09/2021 Updated: 12/07/2022

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8

VMScore: 471

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina. A malicious application may bypass Gatekeeper checks. Apple is aware of a report that this issue may have been actively exploited..

Vulnerable Product	Search on Vulmon	Subscribe to Product
apple mac os x 10.15.7
apple mac os x 10.15.6
apple macos
apple mac os x

This module exploits two CVEs that bypass Gatekeeper For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no Infoplist, which bypasses gatekeeper in macOS < 113 If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file wil ...

Full Disclosure mailing list archives   By Date By Thread </form>    APPLE-SA-2021-04-26-2 macOS Big Sur 113   From: Apple Product Se ...

This module exploits two CVEs that bypass Gatekeeper. For CVE-2021-30657, this module serves an OSX app (as a zip) that contains no Info.plist, which bypasses gatekeeper in macOS < 11.3. If the user visits the site on Safari, the zip file is automatically extracted, and clicking on the downloaded file will automatically launch the payload. If the user visits the site in another browser, the user must click once to unzip the app, and click again in order to execute the payload. For CVE-2022-22616, this module serves a gzip-compressed zip file with its file header pointing to the `Contents` directory which contains an OSX app. If the user downloads the file via Safari, Safari will automatically decompress the file, removing its `com.apple.quarantine` attribute. Because of this, the file will not require quarantining, bypassing Gatekeeper on MacOS versions below 12.3.

msf > use exploit/osx/browser/osx_gatekeeper_bypass
msf exploit(osx_gatekeeper_bypass) > show targets
    ...targets...
msf exploit(osx_gatekeeper_bypass) > set TARGET < target-id >
msf exploit(osx_gatekeeper_bypass) > show options
    ...show and set options...
msf exploit(osx_gatekeeper_bypass) > exploit

A sample POC to test CVE-2021-30853

CVE-2021-30853 A simple POC script to test for CVE-2021-30657 affecting MacOS This CVE allows bypass of gatekeeper, notraization and xprotect checks Vulnerability detail This Vunlerability occurs when you don't define a interpreter( or specify a interpreter that itself is a shell script) in first line(shebang) of the main script of your executable bundle This will caus

Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods.

Swift-Attack Unit tests for blue teams to aid with building detections for some common macOS post exploitation methods I have included some post exploitation examples using both command line history and API calls The post exploitation examples included here are not all encompassing Instead these are just some common examples that I thought would be useful to conduct unit tes

A sample POC for CVE-2021-30657 affecting MacOS

CVE-2021-30657 A simple POC for CVE-2021-30657 affecting MacOS Vulnerability detail A vulnerability in syspolicyd allows specially crafted application bundle downloaded from internet to bypass foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization Armed with this capability attackers could hack macOS systems with a simple user (double)-cli

NVD-CWE-noinfo https://support.apple.com/en-us/HT212325 https://support.apple.com/en-us/HT212326 https://nvd.nist.gov https://github.com/shubham0d/CVE-2021-30853 http://seclists.org/fulldisclosure/2021/Apr/50

CVE-2021-30657

Vulnerability Summary

Vulnerability Trend

Exploits

Mailing Lists

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect