Remote Mac Exploitation via Custom URL Schemes
Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be automatically unzipped, as Apple thinks it’s wise to automatically open “safe” files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user’s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!
Now that the malicious app’s custom URL scheme are registered (on the target’s system), code within the malicious webpage can load or “browse” to the custom url. This is easy to accomplish in JavaScript
window.location.replace('windshift://');Behind the scenes macOS will lookup the handler for this custom URL scheme-which of course is our malicious application (that was just downloaded). Once this lookup is complete, the OS will kindly attempt to launch the malicious application to handle the URL request!
And Omni Group be like “Hold My Drink”…
workflow://run-workflow?name=[name]&input=[input]
I am shocked – shocked! – that ever-so-clever programmers ever-so-cleverly tunnelling ever-so-clever RPC-like behaviors through URLs could possibly create massive and completely forseen security holes that even the dumbest script kiddie in the world can drive their Winnebago straight through with absolutely zero effort.