A zero-click security vulnerability in Apple’s macOS Mail would allow a cyberattacker to add or modify any arbitrary file inside Mail’s sandbox environment, leading to a range of attack types.
According to Mikko Kenttälä, founder and CEO of SensorFu, exploitation of the bug could lead to unauthorized disclosure of sensitive information to a third party; the ability to modify a victim’s Mail configuration, including mail redirects which enables takeover of victim’s other accounts via password resets; and the ability to change the victim’s configuration so that the attack can propagate to correspondents in a worm-like fashion.
Though the researcher is just now making the bug’s details available, it was patched in macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5, so users should update accordingly.
Unauthorized Write Access
Kenttälä said he discovered the bug (CVE-2020-9922) by sending test messages and following Mail process syscalls.
He found that “mail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,” he explained. “In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.”
However, the researcher discovered that parts of the uncompressed data are not removed from the temporary directory – and that the directory serves multiple functions, allowing attackers to pivot within the environment.
“[It] is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files,” Kenttälä explained.
Zero-Click Attack Path
To exploit the bug, a cyberattacker could email two .ZIP files as attachments to the victim, according to the analysis. When a user receives the email, the Mail app will parse it to find any attachments with x-mac-auto-archive=yes header in place. Mail will then automatically unpack those files.
“The first .ZIP includes a symlink named Mail which points to victims’ $HOME/Library/Mail and file 1.txt,” said Kenttälä. “The .ZIP gets uncompressed to $TMPDIR/com.apple.mail/bom/. Based on the filename=1.txt.zip header, 1.txt gets copied to the mail director and everything works as expected. However, cleanup is not done right way and the symlink is left in place.”
This left-behind symlink anchors the second stage of the attack.
“The second attached .ZIP includes the changes that you want to do to $HOME/Library/Mail. This will provide arbitrary file write permission to Library/Mail,” the researcher explained. “In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim’s Mail application.”
This arbitrary write access means that an attacker can manipulate all of the files in $HOME/Library/Mail, he added.
CVE-2020-9922 is rated 6.5 on the CVSS vulnerability-severity scale, making it medium-severity, but the researcher stressed that successful exploitation could “lead to many bad things.”
“As shown, this will lead to exposure of the sensitive data to a third party through manipulating the Mail application’s configuration,” he said. “One of the available configuration options is the user’s signature which could be used to make this vulnerability wormable. There is also a chance that this could lead to a remote code-execution (RCE) vulnerability, but I didn’t go that far.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)