An independent researcher has just published details of a “macOS Finder RCE” (remote code execution) vulnerability. The bug effectively allows an attacker to bypass Apple’s File Quarantine and Gatekeeper technologies.
Apple attempted to silently fix the vulnerability in macOS Big Sur, but failed to do so properly.
Let’s take a look at what the vulnerability entails, and how an attacker could use it.
What exactly is the “inetloc” vulnerability?
Independent security researcher Park Minchan explains:
A vulnerability in macOS Finder allows files whose extension is
inetlocto execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.
Apple’s Mail app for Mac is not the only method of delivery, however. He further explains:
This vulnerability allows any program that can attach and execute files (iMessage, MS Office…) to Remote Code Execution
Various types of files in macOS can open a URI. Examples of such files include
The researcher noticed that
.inetloc files could be used with the
file: protocol to launch applications or files on the local system, while bypassing Apple’s File Quarantine and Gatekeeper technologies.
Apple attempted to quietly mitigate this in macOS Big Sur by simply disallowing the
file: URI in
.inetloc files. The only problem is that Apple’s mitigation can be completely bypassed simply by changing the protocol’s capitalization, for example to
The beta versions of Apple’s upcoming macOS Monterey are also vulnerable, as confirmed by another researcher, Patrick Wardle.
Moreover, yet another researcher, Vladimir Metnew, pointed out that Apple’s mitigation also does not apply to the virtually identical
.fileloc files. Simply renaming a “mitigated”
.inetloc file with the
.fileloc extension will allow the
file: protocol (spelled in all lowercase) to work again.
You can just use .fileloc file, without a need to mangle the file:// protocol in .inetloc 🙂
— Metnёw (@vladimir_metnew) September 21, 2021
Is this zero-day vulnerability being actively exploited in the wild?
The vulnerability is considered a “zero day” because it is public knowledge, and Apple has not yet fixed it.
We are not aware of any active use of this vulnerability in the wild at this time. However, it may be used in targeted attack scenarios.
What might a real-world attack scenario look like?
So how exactly could this vulnerability be used in a real-world attack scenario? That’s somewhat more complicated.
The vulnerability can be used to trick a user into opening apps and files in known locations on a victim’s Mac, without any warning upon opening the
.inetloc file. However, it was not immediately clear how an attacker could cause harm with this ability alone.
Park Minchan says that the vulnerability can “chain” with other techniques to gain “arbitrary code execution with two clicks.” He plans to release a full-chain exploit soon, through the same site where his original advisory appeared. We will update this article when more information becomes available.
UPDATE, September 25, 2021: Park Minchan shared an Opera blog post detailing a cross-site scripting to remote code execution (XSS to RCE) vulnerability in Opera, which has since been patched. In a demo video in the blog post, bug bounty hunter Renwa used the
.fileloc code execution technique:
Remote and local attack scenarios are possible
One method of attack confirmed by Intego involves an attacker having either local access to a victim’s Mac, or knowing the username and password of any account on the victim’s system—even a non-administrator account. For remote access, File Sharing or Remote Login would need to be enabled.
In this attack scenario, an attacker would simply copy a non-quarantined app or script into a user’s Public Drop Box folder (e.g.
/Users/username/Public/Drop Box/). By design, this folder has write-only permission for any other user of the system.
Alternatively, an attacker can drop an app or script onto a victim’s Mac through a cloud storage folder shared by both the attacker and the victim. We can confirm that this second attack method works for both Dropbox and Google Drive shared folders. (This alternative scenario builds on ideas shared by Metnew last year that are still viable today.)
With either of those scenarios, the attacker would then simply have to trick a user into running a customized
.inetloc file, which would run the attacker-supplied app. The attacker’s app could do literally anything, and would run with the victim’s account privileges. Thus the attacker could log keystrokes, exfiltrate passwords and sensitive data, and more; the possibilities are endless.
Tricking an average Mac user into opening a file is unfortunately not very difficult. It’s easy to paste a custom icon onto any file. One can easily imagine a scenario where a victim thinks they’re opening an expected Microsoft Word file, and has no idea that they have instead run malware planted by an attacker. The
.inetloc vulnerability makes this easier than usual by bypassing File Quarantine and Gatekeeper protections.
What can Mac users do to protect themselves?
Ultimately, Apple needs to properly mitigate this vulnerability with a macOS security update.
In the mean time, Mac users can protect themselves from known malicious payloads by using trusted antivirus software, including Intego Mac Premium Bundle X9. With this protection, if an attacker tries to use a common RAT (remote access Trojan) or other known malware, the attack will be thwarted and the threat will be eliminated.
How can I learn more?
Additional details about the vulnerability can be found in the original advisory. If Park Minchan releases a full-chain exploit, we will update this article with a link to that advisory as well.
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
Be sure to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog to stay up to date on the most important Apple, security, and privacy news. Follow Intego on your favorite social media channels to ensure you never miss an update: Twitter, Facebook, LinkedIn, Instagram, and YouTube.