About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

macOS File Exfiltration via the Calendar- 197

Andy Grant - NCC GroupPosted 5 Years Ago
  • There are two parts to this article; the first part talks about macOS calendar, how it works and how the research originated. The second article explains the actual attack.
  • A Mail Event actually has a file URI included in the format. Why!? So, naturally, giving someone a malicious ICS file, convincing them to invite you to that event would then leak whatever file you wanted!
  • But, this was not sly enough. So, the author went back to the spec (which is really the theme of the article). The SCHEDULE-FORCE-SEND would allow a malicious actor to set someone else as the organizer.
  • With the previous directive being used above, a malicious actor could send a bad ICS file that would steal arbitrary files from your computer (with some caveats).
  • Two main things stood out to me:
    • The amount of knowledge that the author of the article had about the specification. This allowed for the attack to become stealthier and stealthier over time.
    • The bad URI being used was interesting. In how many other places does this exist? Definitely something to look out for in the future.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed