Apple users warned: clicking this attachment will control your macOS

Apple users warned: clicking this attachment will control your macOS

A code execution bug in Apple’s macOS allows remote attackers to execute arbitrary commands on your device. And the worst part is that Apple hasn’t fully patched it yet, as Ars proved.

Those shortcut files can take over your Mac

Independent security researcher Park Minchan has discovered a vulnerability in macOS that allows threat actors to execute commands on your computer. Shortcut files that have inetloc extension are able to embed commands inside. The flaw affects macOS Big Sur and earlier versions.

“A vulnerability in the way macOS processes inetloc files causes it to execute built-in commands inside, the commands it executes can be local to macOS, allowing arbitrary command execution by the user without any warnings / prompts, “explains Minchan.” Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or telnet location; and contain the server address and possibly a username and password for SSH and telnet connections; it can be created by typing a URL in a text editor and dragging the text to the desktop. “

Minchan reported the flaw to Apple through the SSD Secure Disclosure program as mentioned in the write.

Internet shortcuts are present on Windows and macOS systems. But this specific bug negatively affects macOS users, especially those using a native email client like the “Mail” app.

For example, opening an email that contains a inetloc an attachment via the “Mail” application will activate the vulnerability without warning. In the test email below there is an attached shortcut file “test.inetloc”, clicking on the one that launches the Calculator application on macOS:

Enlarge / Attachment “inetloc” drawn up when viewed through the MacOS Mail application.

Sharma ax

Apple’s “fix” can be easily skipped

The cause of the vulnerability is quite simple. An Internet shortcut file usually contains a URL. But what happens if a “file: //” URL is included?

URLs starting with “proceedings://Instead of the usual “http: //” or “https: //” they are used to retrieve files from the computer system itself. You can try doing this on your Mac now. Open a local file on your computer with Chrome or the Safari web browser will automatically generate its equivalent file: // location in the address bar. Y, Internet shortcuts or inetloc Files can easily be designed to point to “file: //” URLs instead of HTTP.

Although Apple was notified of the flaw and, starting with Big Sur, blocks the inclusion of file: // URLs in Internet shortcuts, one can avoid the crash by changing the case of the text:

“Newer versions of macOS (from Big Sur) have blocked file:// prefix (in the however, they did a match of cases that caused Proceedings:// or proceedings:// to avoid the check, “Minchan explains.

I tested this theory on my macOS Big Sur 11.3.1 using the proof-of-concept (PoC) code provided by Minchan and I can confirm that the bug has not been fully corrected:

MacOS RCE bug proof-of-concept code that has a code to start the Calculator app.
Enlarge / MacOS RCE bug proof-of-concept code that has a code to start the Calculator app.

This snippet with just eight lines of code is what started the Calculator shown above. But any skilled threat actor could modify this test code to run malicious code on the victim’s machine.

Apple Mac users are cautioned to be careful when opening .inetloc Internet shortcuts, especially those that come via email attachments.

Leave a Reply

Your email address will not be published. Required fields are marked *