Simply dropping an executable within this folder will not result in any success. In the image above, we see that everything below the renamed directory (myPictures) receives the quarantine attribute, as expected. We will see why this is important when the temporary directory is renamed. However, ArchiveService failed to apply the quarantine attribute to the NSIRD_ArchiveService_XXXXXX folder itself, only applying the quarantine attributes to the extracted contents within it. It invokes a low-level function titled _qtn_file_apply_to_path in libquarantine.dylib which applies the quarantine attribute to the unarchived files located in the temporary directory NSIRD_ArchiveService_XXXXXX.
The ArchiveService process will ensure the quarantine attribute is propagated to all of the extracted contents before it is moved to the target location (typically, the user's Downloads folder). Using Apple’s Endpoint Security to monitor file usage, we can determine that the ArchiveService process writes the extracted contents to a temporary directory located at the following path: /private/var/folders/Īrchive Utility contains a function titled _propagateQuarantineInformation.
ARCHIVE UTILITY MAC ARCHIVE
Presumably, this feature exists to prevent many files from being extracted to the current directory making it inconvenient to move or delete.Ī number of processes are involved in the unpacking of an archive including Archive Utility, AUHelperService and ArchiveService. When our myPictures.aar file was unpacked, Archive Utility created a folder named myPictures containing our extracted files. In our example, the root directory of our archive contained a folder named photos and a file named 4.png. So, why is this new folder missing the quarantine attribute? When extracting an archive containing two or more files or folders in its root directory, Archive Utility will create a new folder based on the specified archive name.
Archive UtilityĪrchives are commonly used to compress and store files making it easier to share multiple files across devices.
ARCHIVE UTILITY MAC ZIP
Instead, it is a vulnerability within the operation of Archive Utility which handles ZIP files (and many other archives) by default, when they are double-clicked. aa archive -d test.app/Contents -o ĭespite the fact that this command looks somewhat similar to the ZIP command that could previously be used to abuse CVE-2022-22616, this vulnerability is different in that it doesn’t involve the BoM at all. This brought us to the testing of the macOS Archive Utility, where we discovered that creating an Apple Archive with a similar command will also result in bypassing Gatekeeper and all security checks upon execution.
ARCHIVE UTILITY MAC ZIP FILE
At a low level, this vulnerability existed within the parsing of the Bill of Materials (BoM) when an application was placed within a zip file using a syntax like the following: zip -r test.app/Contents test.zipĪfter reporting the issue to Apple, we began to research other archiving features that might suffer from similar issues. Initial discoveryĮarlier this year, Jamf Threat Labs identified a vulnerability in the Safari Web Browser that could bypass Gatekeeper checks by leveraging a crafted ZIP archive ( CVE-2022-22616). Research led by Ferdous Saljooki, Detections Developer II, Jamf. We reported our findings to Apple on May 31, 2022, and in macOS Monterey 12.5 Apple patched the vulnerability, assigning it CVE-2022-32910. Jamf Threat Labs recently discovered a new macOS vulnerability in Archive Utility that could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive.
0 kommentar(er)
