Leaking Files With TextEdit
Paulos Yibelo (tweet, Hacker News):
I quickly realized that TextEdit can be tricked into thinking the file opened is an RTF-HTML file even when the file extension is TXT. The ability to inject HTML into a TXT file obviously opened lots of potential attack vectors.
[…]
I found out the CSS property
<style> @import { "url "} </style>
was allowed to load local CSS files. However, the only scheme that worked was file:/// and not even http/s://. While this means we can’t make external requests, it also means we can hit or open other files that are stored locally on the device. This creates a very obvious DOS vulnerability that acts like a blind SSRF by writing a recursive file inclusion or, reading files with infinite data streams like /dev/urandom, /dev/zero. a 2kb text file can crash your mac. COOL, but completely useless.[…]
While they did a good job blocking TextEdit from making external requests, [AutoFS] was the one thing they forgot when they allowed file:/// scheme, on OSX file:///net/11.22.33.44/a.css connects to 11.22.33.44.
[…]
By combining the
<style>
CSS attribute with the<iframedoc>
attribute, an attacker can first include an unclosed style tag, embed the contents of the file they want to steal and then leak the content as dangling parameters to their evil site as soon as the file is open.
This was addressed in macOS 10.15.1.
Previously: