Zero click vulnerability in Apple’s macOS Mail

By Mikko Kenttälä

Story

Technical details

In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with zip and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.

During my research I found that parts of the uncompressed data is not cleaned from temporary directory and that directory is not unique in context of Mail, this can be leveraged to get unauthorized write access to ~/Library/Mail and to $TMPDIR using symlinks inside of those zipped files.

Here is what happens

1st stage

2st stage

In my example case I wrote new Mail rules for the Mail application. With that you can add an auto forward rule to the victim’s Mail application.

Mail/ZCZPoC

Mail/V7/MailData/RulesActiveState.plist

Mail/V7/MailData/SyncedRules.plist

Mail/ZCZPoC includes just a plaintext file which will be written to ~/Library/Mail.

Overwrite Mail rule list

Main thing in the RulesActiveState.plist is to activate our rule in the SyncedRules.plist.

<dict>

<key>0C8B9B35–2F89–418F-913F-A6F5E0C8F445</key>

<true/>

</dict>

SyncedRules.plist contains a rule to match “AnyMessage” and rule in this PoC sets Mail application to play morse sound when any message is received.

<key>Criteria</key>

<array>

<dict>

<key>CriterionUniqueId</key>

<string>0C8B9B35–2F89–418F-913F-A6F5E0C8F445</string>

<key>Header</key>

<string>AnyMessage</string>

</dict>

</array>

<key>SoundName</key>

<string>Morse</string>

Instead of playing morse sound, this could be e.g forwarding rule to leak sensitive email data.

Impact

There is also a chance that this could lead to a remote code execution (RCE) vulnerability, but I didn’t go that far.

Timeline

2020–05–24: PoC done and reported to Apple

2020–06–04: Catalina 10.15.6 Beta 4 with Hotfix relased

2020–07–15: Catalina 10.15.6 Update with hotfix released

2020–11–12: Credits released (CVE-2020–9922)

2021–03–30: Bug Bounty is still being evaluated

Thanks to the fellow researchers who have shared their findings and knowledge, and thanks to Apple for the quick fixes. Huge thanks to my colleagues who helped me with this writeup! :)

About me

Twitter: https://twitter.com/Turmio_

LinkedIn: https://www.linkedin.com/in/mikkokenttala/

Happy Hacker: http://www.happyhacking.org/