Two More Ways the Quarantine Attribute Can Fail Us

Presented at Objective by the Sea version 6.0 (2023), Oct. 12, 2023, 4:35 p.m. (25 minutes).

In this talk we will present two separate Gatekeeper bypass vulnerabilities, CVE-2021-1810 and CVE-2023-27943, both discovered in the course of developing our own endpoint protection software. We present the discovery process and root cause analysis of both bugs, leading to novel discoveries about both how the behavior behind LSFileQuarantineEnabled Info.plist key is (and sometimes isn't!) enforced by the operating system, as well as some internals of how Archive Utility propagates (and sometimes doesn't!) the com.apple.quarantine extended attribute.

Presenters:

  • Arthur Valiev - Senior Software Engineer at F-Secure
    Senior Software Engineer at F-Secure. Experience developing anti-malware products for macOS, starting from kernel extensions utilizing KAUTH and MACF back in Snow Leopard days to using the macOS EndpointSecurity framework today..
  • Rasmus Sten - Lead Software Engineer at F-Secure
    Lead Software Engineer at F-Secure. Experience developing anti-malware products for macOS, starting from kernel extensions utilizing KAUTH and MACF back in Snow Leopard days to using the macOS EndpointSecurity framework today..

Links:

Similar Presentations: