Mishandling of Long Paths Leads to Gatekeeper Bypass in Archive Utility

We discussed this vulnerability during Episode 87 on 04 October 2021

Archive Utility on macOS had a bug when encountering long file paths during extraction that would result in the extracted files not recieving the com.apple.quarantine attribute that Gatekeeper looks for.

The root cause of this is that iterator that applies the quarantine attribute will exit early when it encounters a filename that exceeds the PATH_MAX value and the return code is never checked. By not having the attribute applied the file will avoid usual code signing checks that would apply to quarantined files.

An actual attack utilizing this trick is a bit more complicated as the path still needs to be accessible in the Finder application so a user can be coerced into executing the no-longer quarantined executable. To do this the author made use of symlinks and some ceever naming to make it appear like a normal application bundle.