Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

File quarantine, Gatekeeper, & Notarization on MacOS are what prevent non-apple signed applications from running on a computer. In particular, this is meant to stop attacks where the application pretends to be Adobe Reader while actually stealing all of your files. Bypassing this leaves users at risk.

The root cause breaks down to a weird edge case in the system: a bash script without specifying the interpreter. By using a bash script with only a #! but without the interpreter, MacOS will gladly run this. But, for some reason, the missing interpreter bypasses the verification that MacOS should do with the user protections mentioned above. Why does this happen?

When no bash interpreter is specified (#! only) then an error message is returned when trying to call exec_shell_imgact. If this fails as a script, it will now use /bin/sh as the program to run.

Here's the kicker: MacOS now thinks that the MacOS binary being ran is NOT a bash script but the binary /bin/sh. Since this is a now a MacOS binary instead of a bash script, the call to exec_shell_imgact never happens. Eventually, when this gets to policy manager at syspolicyd, it decides that no security checks need to be made because it is NOT a script and is a trusted platform binary.

A super single bug wrapped in layers of complexity. Sometimes, fuzzing and trying random things is the way to go instead of raw code review. Good find!