Happy Hacking

Zero click vulnerability in Apple’s macOS Mail

2021-03-30T13:37:00+03:00

Zero-Click Zip TL;DR

I found a zero click vulnerability in Apple Mail, which allowed me to add or modify any arbitrary file inside Mail’s sandbox environment. This could lead to many bad things including unauthorized disclosure of sensitive information to a third party. An attacker can modify victim’s Mail configuration including mail redirects which enables takeover of victim’s other accounts via password resets. This vulnerability can be used to change the victim’s configuration so that victims will be propagating the attack to their correspondents in a worm-like fashion. Apple has patched this vulnerability in 2020–07.

Story

I was researching another vulnerability case (I’ll write about it a bit later) when I found this. I was reading Apple’s Bug Bounty categories and started to think what attack vectors there might be to trigger without user action. First idea obviously was Safari. I played a bit with Safari but couldn’t find any interesting leads. Next thing on my mind was Mail or iMessage. I focused on the Mail because of the hunch about the legacy features hiding in older codebase. I started to play around with Mail, sending test messages and attachments with the idea of trying to find an anomaly compared to normal email sending and receiving. I sent these test messages and followed Mail process syscalls to learn what is happening under the hood when email is received and here is what I found.

Technical details

Description

Mail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user.

In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with zip and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.

During my research I found that parts of the uncompressed data is not cleaned from temporary directory and that directory is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files.

Here is what happens

Attacker sends an email exploit which includes two zip files as attachments to the victim. Immediately when the user receives the email, Mail will parse it to find out any attachments with x-mac-auto-archive=yes header in place. Mail will uncompress those files automatically.

1st stage

First zip includes a symlink named Mail which points to victims “$HOME/Library/Mail” and file 1.txt . Zip gets uncompressed to “$TMPDIR/com.apple.mail/bom/”. Based on “filename=1.txt.zip” header, 1.txt gets copied to mail dir and everything works as expected. However cleanup is not done right way and the symlink is left in place.

2nd stage

Second attached zip includes the changes that you want to do to “$HOME/Library/Mail”. This will provide arbitrary file write permission to Library/Mail.

In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim’s Mail application.

 Mail/ZCZPoC
 Mail/V7/MailData/RulesActiveState.plist
 Mail/V7/MailData/SyncedRules.plist

Mail/ZCZPoC includes just a plaintext file which will be written to ~/Library/Mail.

Ovrewrite Maill.app rule list

Files can be overwritten and that is what happens with the RulesActiveState.plist and the SyncedRules.plist files.

Main thing in the RulesActiveState.plist is to activate our rule in the SyncedRules.plist.

...
<dict>
    <key>0C8B9B35-2F89-418F-913F-A6F5E0C8F445</key>
    <true/>
</dict>
...

SyncedRules.plist contains a rule to match “AnyMessage” and rule in this PoC sets Mail application to play morse sound when any message is received.

...

<key>Criteria</key>
<array>
    <dict>
        <key>CriterionUniqueId</key>
        <string>0C8B9B35-2F89-418F-913F-A6F5E0C8F445</string>
        <key>Header</key>
        <string>AnyMessage</string>
    </dict>
</array>
...

<key>SoundName</key>
<string>Morse</string>

Instead of playing morse sound, this could be e.g forwarding rule to leak sensitive email data.

Impact

This arbitrary write access allows the attacker to manipulate all of the files in $HOME/Library/Mail. As shown this will lead to exposure of the sensitive data to a third party through manipulating the Mail application’s configuration. One of the available configuration options is the user’s signature which could be used to make this vulnerability wormable.

There is also a chance that this could lead to a remote code execution (RCE) vulnerability, but I didn’t go that far.

Timeline

2020-05-16: Issue found
2020-05-24: PoC done and reported to Apple
2020-06-04: Catalina 10.15.6 Beta 4 with Hotfix relased
2020-07-15: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5 Update with hotfix released
2020-11-12: Credits released (CVE-2020-9922)
2021-03-12: Bug Bounty is still being evaluated

Thanks for the fellow researches who have shared their findings and knowledge and thanks Apple for the quick fixes.

How my application ran away and called home from Redmond

2019-10-07T13:37:00+03:00

I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.

I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow specific updates and downloads. The lab already has Beacon Virtual Machine running and it has found issues in the past. All of them are fixed. So this leak was something new!

…

Read full post from here

How to user F-secure freedome VPN in OpenBSD/Linux

2016-09-09T13:37:00+03:00

(This won’t work anymore )

I have been testing and using F-Secure Freedome VPN for a while and I was wondering that can I get it running on my OpenBSD virtual machine. I have done some research before about the security of the Freedome (as I normally do when I start to use new software), and I was aware that it is based OpenVPN.

Following instructions are done with OS X and OpenBSD
You need to have Freedome installed to some of your machine
Yes. You need to have valid license
Do not ask support from F-secure to this
This might be against their Term and Conditions

…

Read full post from here

Disable F-secure freedome VPN remotely (OS X)

2016-09-08T13:37:00+03:00

Short description

It is possible to disable Freedome remotly (old versions) by attacker who want to reveal the real IP-address of the Freedome user. The bug is reported to F-secure and they have fixed the issue already couple of months ago. Thanks for quick reactions.

Technical description

Freedome is based on OpenVPN and it uses “–management-client” in openvpn which means that the management of the openvpn is done from other process and in this case from Freedome GUI. Client is listening at TCP-socket and socket was binded to localhost and to random port. Attacker can make web-page which will rather fast go thourgh the port range. When the connection is made to against Freedome GUI TCP-socket it will disconnect the real connection between OpenVPN and Freedome GUI. This will disconnect VPN connection and laptop will fall back to “normal” Internet connection and it will expose the user real IP-address.

PoC was sent to F-secure and they fixed the issue with changing the TCP-socket to Unix Domain Socket. Thanks for F-secure for quick reaction.

Hacking prepaid data

2015-10-19T13:37:00+03:00

More prepaid data with nice discount

One operator in Finland had vulnerability in their prepaid charing web-site. Client who was buying more time to the prepaid were controlling the variable “ammount” via web-broswer. Report is encrypted in finnish but you can get the Idea from the screenshots.

Vulnerability was reported to the operator and they fixed it rather quickly.

Full report in finnish

Hacking Inteno DG201A

2013-11-07T12:37:00+02:00

I have ran my VDSL2 box happily in bridge mode and thinking that there is not that much of risk because the box should be just forwarding the packets to my firewall. After doing some changes to my VDSL -box I realized that for some strange reason it will take IP from the Internet even when it should be in bridged mode.

And it means I need to check how secure it is.

Read full post here…

Hacking Toyota Touch and Go

2012-03-05T12:37:00+02:00

INTRO

New Toyotas has head unit called touch and go. System is based on QNX and made by Harman and most likely same kind of devices are used also by other car manufacturers. You can connect car to the Internet via Bluetooth. We joined to same Bluetooth network to see what was going on.

There was multiple services running on QNX, including Telnet, anonymous login enabled D-Bus and some log interfaces for debugging.

Read full post here…

Getting shell from Onkyos AVR

2011-09-06T09:29:20+03:00

ONKYO TX-NR509

I bought new AVR to my home and of course I needed to check out what is under the hood. While reading the manual I noticed that the software licenses included Busybox. It was invite to the challenge to get shell.

Some basic information:

Model: Onkyo TX-NR509
Network Capability Delivers Internet Radio and Network Audio Streaming via Ethernet
Linux inside

Read full post here…

Second trip to embedded system

2010-03-19T08:29:20+02:00

After my last blog I have figured out a couple of new things. One thing is that you can access to boot loader by pressing ctrl + c while the switch is booting. More about it later in a section dedicated to this subject.

Another happy hacking experience was SNMP as I already guessed it in my last post. Anyhow this has been a great learning experience to get closer with hardware and embedded device, since I have not had this kind of knowledge before.

Read full post here…

Best fail so far

2010-01-28T08:29:20+02:00

INTENO X5671 VDSL2 BOX

BASIC INFO

As I’m still moving to a new apartment I have to buy a new VDSL2 box from my operator (DNA). They sell these Inteno boxes by default. First impression was positive, because they use WPA in WLAN by default and password to WLAN is different with each box. Next thing I noticed that there was also SSH available (even tough there is no mention about it in manual), which is extremely great thing!

Software Version: X5671_2.00DNT06

OS: OpenWRT-related system Services:

Read full post here…