Unpatched MacOS vulnerability permits distant attackers to execute code
A code execution bug in Apple’s macOS allows remote attackers to execute arbitrary commands on your device. And worst of all, Apple hasn’t fully patched it yet as tested by Ars.
These shortcut files can take over your Mac
Independent security researcher Park Minchan has discovered a vulnerability in macOS that allows attackers to execute commands on your computer. Shortcut files with the inetloc extension can embed commands in them. The bug affects macOS Big Sur and earlier versions.
“A vulnerability in the way macOS handles inetloc files results in commands embedded in them being executed. “Originally, inetloc files are shortcuts to an Internet location, such as an RSS feed or Telnet location; and contain the server address and possibly a username and password for SSH and Telnet connections; can be accessed by entering a URL in a Text editor can be created and drag the text to the desktop. “
Minchan reported the bug to Apple through the SSD Secure Disclosure program as mentioned in the description.
Internet shortcuts exist in both Windows and macOS systems. However, this particular flaw adversely affects macOS users, especially those using a native email client like the “Mail” app.
For example, if you open an e-mail with an inetloc attachment via the “Mail” app, the vulnerability is triggered without warning. In the test e-mail below there is an attached link file “test.inetloc”, on which the calculator app is started on macOS:
Enlarge / “Inetloc” attachment created when viewed via the macOS Mail app.
Apple’s “fix” can easily be bypassed
The source of the vulnerability is pretty simple. An internet link file usually contains a URL. But what happens if you include a “file: //” URL?
URLs that begin with “file: //” and do not begin with “http: //” or “https: //” are used to retrieve files from your own computer system. You can now try this on your Mac. When you open a local file on your computer with the Chrome or Safari web browser, the appropriate file: // location is automatically generated in the address bar. And internet shortcuts or inetloc files can easily be made to point to “file: //” URLs as opposed to HTTP URLs.
Although Apple has been informed of the bug and, starting with Big Sur, is blocking the inclusion of file: // URLs in Internet links, the blocking can be bypassed by changing the case:
“Newer versions of macOS (by Big Sur) blocked the file: // prefix (in the com.apple.generic-internet-location), but they caused a case match File:// or File:// to bypass the check, “explains Minchan.
I tested this theory on my macOS Big Sur 11.3.1 and 11.6 with the Proof-of-Concept-Code (PoC) provided by Minchan and I can confirm that the bug was actually not fully patched:
Enlarge / macOS RCE bug proof of concept code that contains code to start the calculator app.
This snippet with just eight lines of code started the calculator shown above. But any skilled threat actor could modify this test code to execute downright malicious code on the victim’s computer. For example, Ars found that more advanced payloads like “FiLe: /////////////// bin / pwd” ran successfully.
Apple Mac users are cautioned to be careful when opening .inetloc internet shortcuts, especially if they come in via email attachments.