M1 Macs GateKeeper bypass aka CVE-2021-30658
This blog post describes a GateKeeper bypass that worked on M1 Macs. With a few clicks in a web browser, the attacker could have executed malicious code on the victims' machines.Introduction
When the first M1 Macs appeared in the Apple Store, I immediately bought one. I was really excited to verify the attack vectors I thought about. I noticed that M1 Macs could install iOS apps compiled for ARM64, so maybe there will be inconsistencies? I was especially interested in logic errors in situations where something on iOS is totally OK, but on macOS it will be a problem.The GateKeeper bypass
iOS apps can be installed outside App Store using a special URL handler - itms-services://. On macOS Big Sur, the same handler is registered and handled by the iOS App Installer.app.
These apps have to be signed with an Enterprise Certificate. It’s not very easy to get one from Apple. However, there are online services that allow signing your apps with enterprise certificates for $XXX. As using such services is rather not legal, I won’t write about them. Just keep in mind that an attacker may obtain such a certificate with relatively low effort.
