Two More Ways the Quarantine Attribute Can Fail Us

Presented at Objective by the Sea version 6.0 (2023), Oct. 12, 2023, 4:35 p.m. (25 minutes).

In this talk we will present two separate Gatekeeper bypass vulnerabilities, CVE-2021-1810 and CVE-2023-27943, both discovered in the course of developing our own endpoint protection software. We present the discovery process and root cause analysis of both bugs, leading to novel discoveries about both how the behavior behind LSFileQuarantineEnabled Info.plist key is (and sometimes isn't!) enforced by the operating system, as well as some internals of how Archive Utility propagates (and sometimes doesn't!) the com.apple.quarantine extended attribute.

Presenters:

• Arthur Valiev - Senior Software Engineer at F-Secure
  Senior Software Engineer at F-Secure. Experience developing anti-malware products for macOS, starting from kernel extensions utilizing KAUTH and MACF back in Snow Leopard days to using the macOS EndpointSecurity framework today..
• Rasmus Sten - Lead Software Engineer at F-Secure
  Lead Software Engineer at F-Secure. Experience developing anti-malware products for macOS, starting from kernel extensions utilizing KAUTH and MACF back in Snow Leopard days to using the macOS EndpointSecurity framework today..

Links:

• https://objectivebythesea.org/v6/talks.html#Speaker_13
• https://www.youtube.com/watch?v=AqFsFPVXkcU

Similar Presentations:

• DEF CON 29 (2021) / Bundles of Joy: Breaking macOS via Subverted Applications Bundles
• Objective by the Sea version 4.0 (2021) / All Your Macs Are Belong To Us: The Story of CVE-2021-30657
• Objective by the Sea version 5.0 (2022) / Bombastically Abominating Bomshellz