On February 12, 2024, a vulnerability was disclosed in the popular macOS Objective-C library, XADMaster. Logged as CVE-2024-22405, this flaw allows malicious ZIP archives to circumvent macOS’s Gatekeeper checks. Given how many Mac applications and utilities build on top of XADMaster for unarchiving, the threat can affect a wide range of software relying on it. This post will break down the issue, show how attackers might exploit it, and provide code and links for further reading.
Technical Background
XADMaster is an Objective-C library used for archive management on macOS. Many developers leverage it to extract ZIP, RAR, 7z, and other archive formats in their applications.
Gatekeeper is a security technology in macOS. When files are downloaded from the internet, a "quarantine attribute" (com.apple.quarantine) is set on them. Gatekeeper uses this attribute to display warning prompts before running new applications, reducing the risk of running malware.
The Problem:
When extracting a ZIP archive, XADMaster was not setting the quarantine attribute on the extracted files if they were specially crafted. This allowed files to bypass macOS Gatekeeper checks after extraction, causing a risk of silent malware execution.
Description
- CVE: CVE-2024-22405
How It Happens
1. A malicious user creates a ZIP file in a way that confuses XADMaster into skipping the application of the com.apple.quarantine attribute.
2. When a user extracts the archive (either via an app using XADMaster or a script), the extracted app or executable is not flagged as downloaded from the internet.
1. Crafting a Malicious ZIP
A ZIP archive is created containing a macOS Application bundle (e.g., EvilApp.app). Special ZIP comment manipulation or directory layout is used so XADMaster fails to apply the quarantine flag.
2. Delivery
The attacker shares the ZIP file (via email, web download, etc.). The victim extracts it using a macOS app (say, a third-party unarchiver) that uses the vulnerable XADMaster.
3. Gatekeeper Bypass
The user then double-clicks or runs EvilApp.app, which launches without any Gatekeeper warning, since the system doesn't know this file came from an untrusted source.
4. Malicious Code Execution
The app performs its malicious activities, like installing spyware, exfiltrating documents, or something worse.
Sample Code
Below is a simplified Objective-C example for extracting an archive using XADMaster, demonstrating the vulnerability:
#import <XADMaster/XADArchive.h>
NSString *archivePath = @"/Users/user/Downloads/malicious.zip";
NSString *destinationPath = @"/Users/user/Downloads/";
XADArchive *archive = [[XADArchive alloc] initWithFile:archivePath];
if ([archive openAndScan]) {
for (NSInteger i = ; i < [archive numberOfEntries]; i++) {
// Extraction will lack quarantine if archive is crafted
[archive extractEntry:i to:destinationPath];
}
}
> Notice: If the ZIP is crafted to trigger the bug, extracted files like apps won’t be quarantined (com.apple.quarantine is missing).
You can check for the quarantine flag using the command line
xattr /Users/user/Downloads/EvilApp.app
If com.apple.quarantine is not listed after extracting with the vulnerable library, Gatekeeper will not prompt the user.
Upgrade Immediately
- Patched Version: XADMaster 1.10.8 applies the fix and ensures all extracted files are properly quarantined.
- XADMaster on GitHub
No Workarounds
There are *no known reliable workarounds* for this vulnerability. Developers and users should upgrade to the latest version or stop using software that has not been updated.
Extra: Manual Fix
If you must use an old version, you can apply the quarantine attribute manually after extraction (not recommended):
xattr -w com.apple.quarantine "0002;00000000;Safari;E12B7BD2-000-000-000-000000000000" /path/to/extracted/file
References
- CVE-2024-22405 (NVD)
- XADMaster Source (GitHub)
- Apple Gatekeeper
- About Extended File Attributes
Summary
CVE-2024-22405 demonstrates how a small implementation detail in a popular unarchiving library can have big security consequences. If you’re a developer or user on macOS, update XADMaster now (or ask your vendors to do so). Always be cautious with archive files from untrusted sources—malware writers are looking for openings like this.
Timeline
Published on: 04/30/2024 10:15:07 UTC
Last modified on: 06/04/2024 17:52:55 UTC