Overview
MacOS Finder allows remote attackers to execute arbitrary commands by tricking users to run inetloc files.
Description
SSD Secure Disclosure has announced a new vulnerability in macOS Finder system that allows remote attackers to execute arbitrary commands by tricking users to click on maliciously crafted inetloc files embedded inside emails. Once clicked, the commands embedded inside the inetloc files execute without any prompt or warning to the user.
inetloc
Originally, inetloc files are shortcuts to an Internet location. They contain the server address and possibly the credentials for SSH or telnet connections. They are created by typing a URL in a text editor and dragging the URL text to the Desktop.
The vulnerability stems specifically from allowing the inetloc to refer to locally stored files as well as the remote Internet addresses. Rather than specifying remote address with the ssh:// or telnet:// protocols, inetloc can execute local commands by using the file:// protocol. If such an inetloc file is attached to an email, clicking on the attachment will execute the maliciously crafted commands without any notice to the user.
The macOS Finder arbitrary command execution vulnerability originally affected macOS Big Sur and prior versions. However, SSD Secure Disclosure reports that the vulnerability has been patched silently by Apple without assigning a CVE identifier for it.
SSD Secure Disclosure also notes that the current patch only blocks the file:// prefix and it can be bypassed via modifying the letter cases, as shown in the following derivates: File:// or fIle:// etc.
An example exploit code that can bypass the current patch and run the Calculator.app from the local file system is given below:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>FiLe:////////////////////////System/Applications/Calculator.app</string>
</dict>
</plist>Note that, as a general security practice, access decisions should be based on permissions rather than exclusions, as advised by the fail-safe defaults principle, to prevent such vulnerabilities when designing secure systems.
Impact
An attacker could remotely execute arbitrary code and potentially gain full control of the system by tricking users into clicking maliciously crafted inetloc file attachments.
Impact Summary
Category: Arbitrary Command Execution
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution
The current patch against this vulnerability can be bypassed by changing the letter cases while specifying the file:// protocol. To defend against possible attacks due to this vulnerability, users should follow the further updates by Apple that could remediate the flaw.
As the successful attacks against this vulnerability requires the adversaries to convince the users to open the malicious attachments via social engineering techniques, users should also watch out for phishing attacks.
With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.
Matt Bishop
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- SSD Advisory – macOS Finder RCE
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
