com.apple.quarantine meta-attribute for downloaded files allows a remote attacker to send an executable file that won't be checked by Gatekeeper .
> Downloaded executable files lack
com.apple.quarantine meta-attribute => no alerts about launching an executable from the web will appear.
Opening a downloaded
.terminal file in Slack via "Shift + Click" (or in Finder) immediately leads to running attacker's code on a target device.
.terminalfile couldn't be opened if application sets quarantine meta-attribute properly. However, Slack (Direct Download) doesn't do that.
exploit.terminalto the victim. File looks like a plaintext file in preview.
exploit.terminalfile via "Shift + Click" (or via Finder)
exploit.terminalget executed with user-level privileges.
Decribed scenario is reproducible in Slack 3.3.3 Direct Download. Slack from AppStore has correct quarantine rules and isn't vulnerable.
exploit.terminal attached + Screencast attached.
macOS is build in such way that OS will ask user before opening any downloaded and potentially launchable (in default setup) files. This rule applies to
.terminal files too.
exploit.terminalis launchable in 1 click without warning a user with popups
Attacker could send a crafted
.terminal file to the victim, which will be executed immediately after opening this file via "Open" button or in Finder.
The attack scenario requires a certain level of user interaction. But the file looks safe and the victim doesn't expect that it'll be launched immediately
GateKeeper bypass allows running arbitrary apps in environments hardened with Gatekeeper settings set to "AppStore only".