Zero click vulnerability in Apple’s macOS Mail

Zero-Click Zip TL;DR

Story

Technical details

Description

In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with zip and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.

During my research I found that parts of the uncompressed data is not cleaned from temporary directory and that directory is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files.

Here is what happens

1st stage

2nd stage

In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim’s Mail application.

Mail/ZCZPoC

Mail/V7/MailData/RulesActiveState.plist

Mail/V7/MailData/SyncedRules.plist

Mail/ZCZPoC includes just a plaintext file which will be written to ~/Library/Mail.

Overwrite Mail rule list

Main thing in the RulesActiveState.plist is to activate our rule in the SyncedRules.plist.

<dict>

<key>0C8B9B35–2F89–418F-913F-A6F5E0C8F445</key>

<true/>

</dict>

SyncedRules.plist contains a rule to match “AnyMessage” and rule in this PoC sets Mail application to play morse sound when any message is received.

<key>Criteria</key>

<array>

<dict>

<key>CriterionUniqueId</key>

<string>0C8B9B35–2F89–418F-913F-A6F5E0C8F445</string>

<key>Header</key>

<string>AnyMessage</string>

</dict>

</array>

<key>SoundName</key>

<string>Morse</string>

Instead of playing morse sound, this could be e.g forwarding rule to leak sensitive email data.

Impact

There is also a chance that this could lead to a remote code execution (RCE) vulnerability, but I didn’t go that far.

Timeline

2020–05–24: PoC done and reported to Apple

2020–06–04: Catalina 10.15.6 Beta 4 with Hotfix relased

2020–07–15: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5 Update with hotfix released

2020–11–12: Credits released (CVE-2020–9922)

2021–03–30: Bug Bounty is still being evaluated

Thanks to the fellow researchers who have shared their findings and knowledge, and thanks to Apple for the quick fixes. Huge thanks to my colleagues who helped me with this writeup! :)

About me

Twitter: https://twitter.com/Turmio_

LinkedIn: https://www.linkedin.com/in/mikkokenttala/

Happy Hacker: http://www.happyhacking.org/

Edit: 2021–04–02: All patched macOS versions added to timeline. Thanks @theLMGN for the comment.

Happy hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store