Skip to content

Commit 2755257

Browse files
carlospolopcarlospolop
authored
Merge pull request #1793 from HackTricks-wiki/research_update_src_macos-hardening_macos-security-and-privilege-escalation_macos-security-protections_macos-gatekeeper_20260122_021302
Research Update Enhanced src/macos-hardening/macos-security-...
2 parents b3bb0e1 + 02eaa87 commit 2755257

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

  • src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,8 +162,14 @@ Regarding **kernel extensions**, the folder `/var/db/SystemPolicyConfiguration`
162162

163163
#### Managing Gatekeeper on macOS 15 (Sequoia) and later
164164

165+
- The long‑standing Finder **Ctrl+Open / Right‑click → Open** bypass has been removed; users must explicitly allow a blocked app from **System Settings → Privacy & Security → Open Anyway** after the first block dialog.
166+
- `spctl --master-disable/--global-disable` are no longer accepted; `spctl` is effectively read‑only for assessment and label management while policy enforcement is configured through UI or MDM.
167+
165168
Starting in macOS 15 Sequoia, end users can no longer toggle Gatekeeper policy from `spctl`. Management is performed via System Settings or by deploying an MDM configuration profile with the `com.apple.systempolicy.control` payload. Example profile snippet to allow App Store and identified developers (but not "Anywhere"):
166169

170+
<details>
171+
<summary>MDM profile to allow App Store and identified developers</summary>
172+
167173
```xml
168174
<?xml version="1.0" encoding="UTF-8"?>
169175
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -198,6 +204,8 @@ Starting in macOS 15 Sequoia, end users can no longer toggle Gatekeeper policy f
198204
</plist>
199205
```
200206

207+
</details>
208+
201209
### Quarantine Files
202210

203211
Upon **downloading** an application or file, specific macOS **applications** such as web browsers or email clients **attach an extended file attribute**, commonly known as the "**quarantine flag**," to the downloaded file. This attribute acts as a security measure to **mark the file** as coming from an untrusted source (the internet), and potentially carrying risks. However, not all applications attach this attribute, for instance, common BitTorrent client software usually bypasses this process.
@@ -531,6 +539,10 @@ A Gatekeeper bypass fixed in macOS Sonoma 14.0 allowed crafted apps to run witho
531539
532540
A Gatekeeper bypass in macOS 14.4 (released March 2024) stemming from `libarchive` handling of malicious ZIPs allowed apps to evade assessment. Update to 14.4 or later where Apple addressed the issue.
533541
542+
### [CVE-2024-44128](https://support.apple.com/en-us/121234)
543+
544+
An **Automator Quick Action workflow** embedded in a downloaded app could trigger without Gatekeeper assessment, because workflows were treated as data and executed by the Automator helper outside the normal notarization prompt path. A crafted `.app` bundling a Quick Action that runs a shell script (e.g., inside `Contents/PlugIns/*.workflow/Contents/document.wflow`) could therefore execute immediately on launch. Apple added an extra consent dialog and fixed the assessment path in Ventura **13.7**, Sonoma **14.7**, and Sequoia **15**.
545+
534546
### Third‑party unarchivers mis‑propagating quarantine (2023–2024)
535547
536548
Several vulnerabilities in popular extraction tools (e.g., The Unarchiver) caused files extracted from archives to miss the `com.apple.quarantine` xattr, enabling Gatekeeper bypass opportunities. Always rely on macOS Archive Utility or patched tools when testing, and validate xattrs after extraction.
@@ -553,5 +565,7 @@ In an ".app" bundle if the quarantine xattr is not added to it, when executing i
553565
554566
- Apple Platform Security: About the security content of macOS Sonoma 14.4 (includes CVE-2024-27853) – [https://support.apple.com/en-us/HT214084](https://support.apple.com/en-us/HT214084)
555567
- Eclectic Light: How macOS now tracks the provenance of apps – [https://eclecticlight.co/2023/05/10/how-macos-now-tracks-the-provenance-of-apps/](https://eclecticlight.co/2023/05/10/how-macos-now-tracks-the-provenance-of-apps/)
568+
- Apple: About the security content of macOS Sonoma 14.7 / Ventura 13.7 (CVE-2024-44128) – [https://support.apple.com/en-us/121234](https://support.apple.com/en-us/121234)
569+
- MacRumors: macOS 15 Sequoia removes the Control‑click “Open” Gatekeeper bypass – [https://www.macrumors.com/2024/06/11/macos-sequoia-removes-open-anyway/](https://www.macrumors.com/2024/06/11/macos-sequoia-removes-open-anyway/)
556570
557571
{{#include ../../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)