CVE-2024-22405: XADMaster Zip Extraction Gatekeeper Bypass Vulnerability in macOS

Introduction:
An important security flaw has been identified in the XADMaster library, a popular Objective-C library for archive and file unarchiving and extraction. When extracting a specially crafted zip archive, XADMaster may fail to apply the quarantine attribute correctly, thereby potentially allowing the bypass of Gatekeeper checks on a macOS system. This vulnerability has been assigned the identifier CVE-2024-22405.

This long read post will provide a comprehensive breakdown of the CVE-2024-22405 vulnerability, including the exploit details, relevant code snippets, and original references. We will also discuss the recommended steps to mitigate this issue.

Exploit Details

To exploit this vulnerability, an attacker must first craft a malicious zip file that includes specific file attributes that can cause XADMaster to incorrectly apply the quarantine attribute. Once this malicious zip file is extracted using XADMaster on a macOS system, the extracted files are no longer subjected to Gatekeeper checks, which are designed to protect the system from malicious software.

Below is a code snippet that demonstrates how the quarantine attribute application might fail in XADMaster:

- (BOOL)applyQuarantineAtURL:(NSURL *)destinationURL {
    NSDictionary *quarantineProperties = ...; // Generate quarantine properties
    NSError *error = nil;
    
    if (![destinationURL setResourceValue:quarantineProperties
                                  forKey:NSURLQuarantinePropertiesKey
                                   error:&error]) 
    {
        NSLog(@"Failed to apply quarantine properties: %@", error);
        return NO;
    }
    return YES;
}

In this example, an error might occur when setting the quarantine properties, which would prevent the proper application of the quarantine attribute.

Original References

The vulnerability was first reported by [security researcher] (link to their profile). Detailed information and discussion about this issue can be found in the following resources:

1. XADMaster GitHub Repository
2. macOS Gatekeeper Documentation
3. CVE-2024-22405 Official Record

Mitigation

To address the CVE-2024-22405 vulnerability, it is highly recommended that macOS users update their XADMaster library to version 1.10.8 or later. This latest version includes a fix for the incorrect application of quarantine attributes when extracting zip archives.

Instructions for upgrading the XADMaster library on macOS systems can be found in the official XADMaster documentation.

It is important to note that there are no known workarounds for this issue. Upgrading to the latest version of XADMaster is the only recommended solution.

Conclusion

The CVE-2024-22405 vulnerability in the XADMaster library can potentially allow the bypass of macOS Gatekeeper checks by specially crafted zip files. To ensure the security of macOS systems, users should promptly update XADMaster to version 1.10.8 or later. Following the recommended mitigation steps will help safeguard against potential exploitation of this vulnerability.

Timeline

Published on: 04/30/2024 10:15:07 UTC
Last modified on: 06/04/2024 17:52:55 UTC