Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Apple Mail has a feature that will automatically uncompress attachments when sent from another user. This is done via custom SMTP headers specific to Apple Mail.

The author discovered that the path directory information is NOT validated/sanitized when being received by the other user. This is the crux of the vulnerability.

The first zip file contains a symlink named Mail that points to the $HOME/Library/Mail directory. Because of this being a symlink, the tmp folder for the mail is not cleaned up properly.

When the second zip file is uncompressed, files are extracted to the location of this symlink! Because of this, an arbitrary file write vulnerability has been created. Luckily, Apple does keep the application sandboxed.

Using this file write vulnerability, the configuration for the Mail app can be altered. Using this, it was possible to setup mail auto forwards to a malicious mail inbox. There is the potential for RCE from this though.

Overall, this is an awesome bug with huge impact. Symlinks are an important attack vector to consider!