来源

关联漏洞

描述

A sample POC to test CVE-2021-30853

介绍

# CVE-2021-30853

A simple POC script to test for CVE-2021-30657 affecting MacOS. <br/>
This CVE allows bypass of gatekeeper, notraization and xprotect checks.
## Vulnerability detail

This Vunlerability occurs when you don't define a interpreter( or specify a interpreter that itself is a shell script) in first line(shebang) of the main script of your executable bundle. This will cause `xpcproxy` to invokes `posix_spawnp` to launch the interpreter-less script-based application. This initially errors out (no interpreter → ENOEXEC), but then `posix_spawnp` "recovers" and (re)executes the script ...this time directly via `/bin/sh`.<br/> Later, the AppleSystemPolicy kext intercepts the process launch to ensure its conformant (signed, notarized, etc). But it checks `/bin/sh` without any variable set, so execute the script without any default checks.<br/> Based on thread: https://twitter.com/objective_see/status/1473741597368098819


## Steps to reproduce
* Put your desireable shell script code in payload.sh. Keep in mind to not modify the first line of script (#!/usr/bin/command).
* Execute setup.sh.
* This will generate a bait.dmg that will contain our malicious app bundle.
* Share it to the victim through internet.
* When victim will double click on app icon after mounting dmg, it will execute the payload script without any gatekeeper's checks.

## Affected version

    macOS Big Sur < 11.6

## Technical details
https://objective-see.com/blog/blog_0x6A.html

文件快照

 [4.0K]  /data/pocs/a5d856b5e1321576c85e690538e95175f1cf2dee
├── [ 195]  payload.sh
├── [1.4K]  README.md
└── [ 223]  setup.sh

0 directories, 3 files

备注