{"id":5331,"date":"2024-09-17T16:26:38","date_gmt":"2024-09-17T21:26:38","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/zero-click-rce-bug-macos-calendar-exposes-icloud-data"},"modified":"2024-09-17T16:26:38","modified_gmt":"2024-09-17T21:26:38","slug":"zero-click-rce-bug-in-macos-calendar-exposes-icloud-data","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/17\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data\/","title":{"rendered":"Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS’s brand name security protections and ultimately compromise victims’ iCloud data.<\/span><\/p>\n

The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kentt\u00e4l\u00e4 discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data \u2014 in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither <\/span>Apple’s Gatekeeper<\/a><\/span> nor <\/span>Transparency, Consent, and Control (TCC)<\/a><\/span> protections could stop it.<\/span><\/p>\n

Zero-Click Exploit Chain in macOS<\/h2>\n

The all-important first bug in the chain \u2014 CVE-2022-46723 \u2014 was awarded a “critical” 9.8 out of 10 CVSS score back in February 2023.<\/span><\/p>\n

It wasn’t just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.<\/span><\/p>\n

For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.<\/span><\/p>\n

More dangerous was the potential for an attacker to perform <\/span>path traversal<\/a><\/span>, naming their attachment in such a way that would allow it to escape the Calendar’s sandbox, where attached files are supposed to be saved, to other locations on the system.<\/span><\/p>\n

Kentt\u00e4l\u00e4 used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.<\/span><\/p>\n

Undermining Apple’s Native Security Controls<\/h2>\n

The malicious app snuck in without raising any alarm, thanks to a bypass in macOS’s Gatekeeper security feature \u2014 the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.<\/span><\/p>\n

Gatekeeper, though, wasn’t the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kentt\u00e4l\u00e4 successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps don’t improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 \u2014 with a “low” 3.3 CVSS severity score \u2014 opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with “trivial modifications.”<\/span><\/p>\n

“MacOS’s Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data,” explains Callie Guenther, senior manager of cyber threat research for Critical Start. “However, the <\/span>zero-click vulnerability<\/a><\/span> in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes.” Guenther notes, though, that macOS isn’t uniquely vulnerable to these types of attacks: “Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities.”<\/span><\/p>\n

For example, she adds, “Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries \u2014 especially APT groups \u2014 find ways to bypass these defenses.”<\/span><\/p>\n

Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.<\/span><\/p>\n

Don’t miss the latest <\/span><\/span>Dark Reading Confidential podcast<\/a><\/span>, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail \u2014 just for doing their pen-testing jobs.<\/span><\/span> <\/span><\/span>Listen now!<\/a><\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in<\/p>\n","protected":false},"author":12,"featured_media":5332,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5331","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/zero-click-rce-bug-in-macos-calendar-exposes-icloud-data-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5331"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5331\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5332"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}