macOS X GateKeeper Bypass

<i>”The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsable to decompress zip files do not perform any check on the symlinks before creatig them.”</i><p>Is that truly legit? It’s very similar to having web servers accept URL paths containing full paths or “..&#x2F;“, both of which have been the cause of many security vulnerabilities.

I can really not see any reason that NFS automounter should be enabled by default on a macOS system.<p>That should be disabled by Apple, if not removed completely.

I may not be entirely right about this, but I believe that Gatekeeper relies on xattr to mark files as quarantined. This is a feature that I wouldn&#x27;t expect to be available when mounting non-Apple filesystems.<p>If this is the case, a potential solution is to track external mounts and to prompt a user when accessing a new drive for the first time, especially in the case that the OS has read or written a new symbolic link pointing to an external file system.<p>I agree with other commenters who say that the NFS auto-mounter should likely default to off on fresh installs. If there is a concern about this breaking enterprise configurations, set NFS to default into a prompt before mounting mode.<p>As far as the issue of symbolic links in zip files, I&#x27;m not sure there&#x27;s much to be done (except perhaps issuing a warning that would be difficult for most users to parse). I mentioned elsewhere that this functionality is not unique to macOS or to zip.<p>The final issue that I see is that Finder hides so much metadata (which could be useful for a reasonably sophisticated user). I&#x27;d like to see a prominent indication of a cross-filesystem symbolic link. Likewise, it&#x27;d be worthwhile to have a clear visual indication when browsing a remote file system.

Why are external drives and NFS shares considered trusted to begin with?

The author says it works &quot;&lt;= 10.14.5&quot;, but no mention of the current beta available, 10.14.6. I wonder if the beta fixes this.

I noticed that automounter entry recently and was like &quot;wait, why did I have this?&quot;<p>OTOH I might have left it in there to make it easier to mount NFS volumes.

The author disabled resizing (zooming) on mobile, leaving the text unreadable. Why do people do this at all? I&#x27;ve seen it happen so often.

This is an interesting bug. But is it a good idea for an attacker to allow for wide-open NFS mounting of their attack server?

Someone should inform the KeyMaster

“Since Apple is aware of my 90 days disclosure deadline, I make this information public.”<p>Great, so now, potentially, there are lots of people who will lose all of their baby photos, lose money or even their contact with people who are important to them just because of some arbitrary number of days you made up and because you feel slighted by apple.<p>This could have real consequences and you can’t expect a big company to move faster just because you want them to. I have now knowledge of the internals of the development of MacOS, but maybe this isn’t trivial to fix.