The example shell script above pulls a malicious unsigned macho binary down to tmp, sets the executable bit, and runs it backgrounded. An example shell script downloader (down.sh) is below:
I chose curl because it is known that files pulled down by curl do not have the quarantine attribute appended and I chose the /tmp directory because /tmp is not protected by TCC.
SECURITYSPY LAUNCHD DOWNLOAD
Steps are below:īuild a simple shell script that uses curl to download a payload (ex: unsigned macho binary, jxa payload, python, etc.) to /tmp, sets the executable bit, and executes that payload. So this begs the question: what if a script is placed in the Contents/MacOS/ directory instead of a macho, since scripts are not checked by Gatekeeper? That is essentially what this technique does. And macOS will append the quarantine attribute to any files downloaded from browsers (macOS also appends this attribute to files downloaded via other methods such AirDrop, but for the sake of this article I will not go into those here). Contents/MacOS/Name (this is usually a macho with the same name as the app that is executed when the app is run since it is a macho, gatekeeper checks to ensure that it has been signed and notarized if it contains the quarantine attribute - “”). Normally, macOS apps tend to have a directory structure as follows: Renamed it to bad-unsigned-macho and hosted it Update: I recently blogged about a slightly different payload from what is discussed in this post that still works against unpatched macOS systems.
SECURITYSPY LAUNCHD UPDATE
The Apple Security Advisory for Catalina Update 2021–002 can be found at. The Apple Security Advisory for macOS 11.3 can be found at. The CVE is CVE-2021–30657 and can be found in the security advisories for Big Sur 11.3 and Catalina update 2021–002. Therefore, if you are reading this, please update to Big Sur 11.3 or Catalina update 2021–002, where Apple has patched this bug. dmg - no pop ups or warnings from macOS are generated. dmg and double-click the fake app inside of the. This payload can be used in phishing and all the victim has to do is double click to open the. This post will briefly discuss how a bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper.
0 kommentar(er)
