Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

macOS calendar is paired with all of the other macOS services like Mail. The author found a bug in it to get RCE, which is terrifying. They don't just show the bug - they show how to get steal photos too!

Calendar invites can have attachments. When the name is used as part of a path, it not sanitized. This gives us a classic directory traversal, which I cannot believe actually happened in something this important. This gives us an arbitrary file write or an arbitrary file delete if the event/attachment is deleted.

Gaining RCE from this was not an easy task and required writing many files and using the Open File functionality of Calendar. First, they create a calendar entry that has Siri Suggested content. This will open other injected files in the future. The next attachment coverts old calendar formats to the new format to make sure this attack will work.

The next attachment is a .dmg file. This dmg contains a background image that points to an external samba server. For whatever reason, even though this has the quarantine flag, it will not be subject to quarantine. The next injected file is used to open a URL a URL triggered from the mounted samba mount from before to open an app. Finder will attempt to open this application, indexing the file and registering a custom URL type.

The final file (triggered by the Siri events mentioned before) will open the custom URL that was just registered. When this URL is opened, it will execute the binary! This is possible because the quarantine flag is not set on the samba loaded file, for whatever reason. When the file is executed, it pops a shell or does something more interesting like stealing photos...

TCC in macOS should prevent access to photos. However, they found a clever trick to steal them anyway. By abusing the RCE, the configurations of Photos can be changed to control the iCloud settings. This allows them to control the location where the files are downloaded to! When the sync happens, they can recover the sensitive files.

An amazing blog post! Many of the techniques for taking this to zero click RCE were interesting and specific to macOS, which probably took a lot of reverse engineering. Using the Siri autoloading to open links, Samba downloaded links not being quarantined, and the forcing the indexing of the custom URI were all awesome finds. The bug was simple but the exploitation was not!