so.cl

The astute reader may have noticed that though the script started with the familiar #! (“Shebang”), it is missing an interpreter such as /bin/bash. However when launched, macOS seems to handle this without issue, and still executed the script.

Specifically, as shown below, in the output of a process monitor, when launched you can first see launchd exec’ing xpcproxy. This then executes /bin/sh, which in turn executes /bin/bash to execute the PoC (which has been translocated, as its from the Internet). Where’s the Interpreter!? (CVE-2021-30853)