Thursday, June 4, 2020

macOS Calendar Exfiltration

Andy Grant (via Wojciech Reguła):

Per the specification, an event can have URI-specified attachments, but when such an event is exported from Calendar, such as an attachment to an email or sent as a meeting invite, the files are embedded into the resultant ICS file. This makes sense—how else would the receiver get the attachments? However, an attacker can combine this behavior with a little-known specification directive in order to silently exfiltrate files from a user’s machine.


Using SCHEDULE-FORCE-SEND I was able to create an ICS file that described an event wherein my target user was the organizer (required for Calendar to send an invite after import) and I was an attendee, that included one or more attachments by file:// URI, and, when imported into Calendar, immediately sent (in the background) a meeting invite back to me that included the target user’s files embedded inside. The only user interaction required was for the victim to open the event in Calendar—such as by double-clicking it in an email. Or, in other words, a “1-click” file exfiltration.


Some target files would be embedded while others would not. This is due to Calendar being a sandboxed application. Calendar can still access a number of sensitive files though, such as the user’s calendars, contacts, and keychains databases.

It’s mitigated in macOS 10.15.5. I wonder if some of these services will eventually be moved out of process, e.g. so that apps can query the Contacts database without receiving permission to read the database file itself.


Comments RSS · Twitter

Leave a Comment