https://mikko-kenttala.medium.com/zero-click-vulnerability-in-apples-macos-mail-59e0c14b106c

Get started
Open in app
 
Mikko Kenttala
41 Followers
About
Follow

Sign in

Get started
 
Follow
41 Followers
About
Get started
Open in app
 

Zero click vulnerability in Apple's macOS Mail

Mikko Kenttala
 

Mikko Kenttala

 

11 hours ago*4 min read

 
[1]
[1]

Zero-Click Zip TL;DR

I found a zero click vulnerability in Apple Mail, which allowed me to
add or modify any arbitrary file inside Mail's sandbox environment.
This could lead to many bad things including unauthorized disclosure
of sensitive information to a third party. An attacker can modify
victim's Mail configuration including mail redirects which enables
takeover of victim's other accounts via password resets. This
vulnerability can be used to change the victim's configuration so
that victims will be propagating the attack to their correspondents
in a worm-like fashion. Apple has patched this vulnerability in
2020-07.

Story

I was researching another vulnerability case (I'll write about it a
bit later) when I found this. I was reading Apple's Bug Bounty
categories and started to think what attack vectors there might be to
trigger without user action. First idea obviously was Safari. I
played a bit with Safari but couldn't find any interesting leads.
Next thing on my mind was Mail or iMessage. I focused on the Mail
because of the hunch about the legacy features hiding in older
codebase. I started to play around with Mail, sending test messages
and attachments with the idea of trying to find an anomaly compared
to normal email sending and receiving. I sent these test messages and
followed Mail process syscalls to learn what is happening under the
hood when email is received and here is what I found.

Technical details

Description

Mail has a feature which enables it to automatically uncompress
attachments which have been automatically compressed by another Mail
user.

In the valid use case, if the user creates email and adds the folder
as an attachment it will be automatically compressed with zip and
x-mac-auto-archive=yes; is added to the MIME headers. When another
Mail user receives this email, compressed attachment data is
automatically uncompressed.

During my research I found that parts of the uncompressed data is not
cleaned from temporary directory and that directory is not unique in
context of Mail, this can be leveraged to get unauthorized write
access to ~/Library/Mail and to $TMPDIR using symlinks inside of
those zipped files.

Here is what happens

Attacker sends an email exploit which includes two zip files as
attachments to the victim. Immediately when the user receives the
email, Mail will parse it to find out any attachments with
x-mac-auto-archive=yes header in place. Mail will uncompress those
files automatically.

[1]
[1]

1st stage

First zip includes a symlink named Mail which points to victims
"$HOME/Library/Mail" and file 1.txt . Zip gets uncompressed to
"$TMPDIR/com.apple.mail/bom/". Based on "filename=1.txt.zip" header,
1.txt gets copied to mail dir and everything works as expected.
However cleanup is not done right way and the symlink is left in
place.

2st stage

Second attached zip includes the changes that you want to do to
"$HOME/Library/Mail". This will provide arbitrary file write
permission to Library/Mail.

In my example case I wrote new Mail rules for the Mail application.
With that you can add an auto forward rule to the victim's Mail
application.

    Mail/ZCZPoC

    Mail/V7/MailData/RulesActiveState.plist

    Mail/V7/MailData/SyncedRules.plist

Mail/ZCZPoC includes just a plaintext file which will be written to ~
/Library/Mail.

Overwrite Mail rule list

Files can be overwritten and that is what happens with the
RulesActiveState.plist and the SyncedRules.plist files.

Main thing in the RulesActiveState.plist is to activate our rule in
the SyncedRules.plist.

    ...

    <dict>

    <key>0C8B9B35-2F89-418F-913F-A6F5E0C8F445</key>

    <true/>

    </dict>

    ...

SyncedRules.plist contains a rule to match "AnyMessage" and rule in
this PoC sets Mail application to play morse sound when any message
is received.

    ...

    <key>Criteria</key>

    <array>

    <dict>

    <key>CriterionUniqueId</key>

    <string>0C8B9B35-2F89-418F-913F-A6F5E0C8F445</string>

    <key>Header</key>

    <string>AnyMessage</string>

    </dict>

    </array>

    ...

    <key>SoundName</key>

    <string>Morse</string>

Instead of playing morse sound, this could be e.g forwarding rule to
leak sensitive email data.

Impact

This arbitrary write access allows the attacker to manipulate all of
the files in $HOME/Library/Mail. As shown this will lead to exposure
of the sensitive data to a third party through manipulating the Mail
application's configuration. One of the available configuration
options is the user's signature which could be used to make this
vulnerability wormable.

There is also a chance that this could lead to a remote code
execution (RCE) vulnerability, but I didn't go that far.

Timeline

2020-05-16: Issue found

2020-05-24: PoC done and reported to Apple

2020-06-04: Catalina 10.15.6 Beta 4 with Hotfix relased

2020-07-15: Catalina 10.15.6 Update with hotfix released

2020-11-12: Credits released (CVE-2020-9922)

2021-03-30: Bug Bounty is still being evaluated

Thanks to the fellow researchers who have shared their findings and
knowledge, and thanks to Apple for the quick fixes. Huge thanks to my
colleagues who helped me with this writeup! :)

About me

Founder and CEO of: https://www.sensorfu.com/

Twitter: https://twitter.com/Turmio_

LinkedIn: https://www.linkedin.com/in/mikkokenttala/

Happy Hacker: http://www.happyhacking.org/

Mikko Kenttala

Happy hacker

Follow
 

36

 
 

36 

 

36 

 

  * Information Security
  * Vulnerability
  * Apple
  * Research

More from Mikko Kenttala

Follow

Happy hacker

More From Medium

The Harmful Response Of A Web Cache Poisoning Attack

Vincent Tabora in The InfoSec Journal
 
[1]
[1]

Adding Selection Capture to Safari on iOS and iPadOS

Stephan Cleaves
 
[1]
[1]

Bypassing Root Detection and Emulator Detection in Android Apps using
Frida

The Offensive Labs
 
[0]
[0]

Redesigning the Apple TV Remote

Sam Chaaya in Mac O'Clock
 
[1]
[1]

The Evidence to Policy Pipeline: How Open Policy Analysis Can
Transform Deworming Policy

The Center for Effective Global Action in CEGA
 
[1]
[1]

Impacket Deep Dives Vol. 1: Command Execution

Kyle Mistele
 
[1]
[1]

WWDC 2021 is Official: What You Should Expect this Year

Henry Gruett in Mac O'Clock
 
[0]
[0]

Four Signs a Person Is Secretly Unhappy with Their Life

Sean Kernan in Mind Cafe
 
[1]
[1]
 

About

Help

Legal

Get the Medium app

A button that says 'Download on the App Store', and if clicked it
will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will
lead you to the Google Play store