Independent security researcher Park Minchan disclosed a zero-day vulnerability in Apple’s macOS Finder that can be exploited by attackers to run arbitrary commands on Mac systems running any macOS version.
The flaw is due to the way macOS handles inetloc files that causes it to run commands embedded inside. According to the SSD Secure Disclosure advisory, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any prompts.
An Internet location file is a sort of system bookmark, upon double-clicking one, an online resource or local files (file://) will be opened.
Initially, the flaw was silently addressed by Apple, but Minchan noticed that the IT giant only partially addressed the flaw. However, the expert discovered that it is still possible to exploit the flaw using a different protocol, from file:// to FiLe://, to execute the embedded commands.
“A vulnerability in the way macOS processes
inetloc files causes it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning / prompts.” reads the SSD Secure Disclosure advisory. “Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check.”
The researcher also PoC exploit code for this issue and a video demo:
According to BleepingComputer, at the time of this writing, the PoC code has a detection rate of zero VirusTotal.
(SecurityAffairs – hacking, zero-day)