{"id":22629,"date":"2018-09-04T15:05:37","date_gmt":"2018-09-04T19:05:37","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=22629"},"modified":"2024-10-21T14:14:53","modified_gmt":"2024-10-21T18:14:53","slug":"remote-mac-exploitation-via-custom-url-schemes","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/09\/04\/remote-mac-exploitation-via-custom-url-schemes\/","title":{"rendered":"Remote Mac Exploitation via Custom URL Schemes"},"content":{"rendered":"<p><a href=\"https:\/\/objective-see.com\/blog\/blog_0x38.html\">Patrick Wardle<\/a>:<\/p>\n<blockquote cite=\"https:\/\/objective-see.com\/blog\/blog_0x38.html\"><p>Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be <i>automatically<\/i> unzipped, as Apple thinks it&rsquo;s wise to automatically open &ldquo;safe&rdquo; files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user&rsquo;s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!<\/p><p>Now that the malicious app&rsquo;s custom URL scheme are registered (on the target&rsquo;s system), code within the malicious webpage can load or &ldquo;browse&rdquo; to the custom url. This is easy to accomplish in JavaScript<\/p><pre>window.location.replace('windshift:\/\/');<\/pre><p>Behind the scenes macOS will lookup the handler for this custom URL scheme-which of course is our malicious application (that was just downloaded). Once this lookup is complete, the OS will kindly attempt to launch the malicious application to handle the URL request!<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Patrick Wardle: Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be automatically unzipped, as Apple thinks it&rsquo;s wise to automatically open &ldquo;safe&rdquo; files. This fact is paramount, as it means the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-09-04T19:05:39Z","apple_news_api_id":"c8295406-6dc9-4891-aa7d-787f79c5b447","apple_news_api_modified_at":"2024-10-21T18:14:55Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABQ==","apple_news_api_share_url":"https:\/\/apple.news\/AyClUBm3JSJGqfXh_ecW0Rw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2095,465,438,30,1529,504,103,48,489,2673],"class_list":["post-22629","post","type-post","status-publish","format-standard","hentry","category-technology","tag-exploit","tag-gatekeeper","tag-launchservices","tag-mac","tag-macos-10-13","tag-malware","tag-safari","tag-security","tag-url","tag-zip-archive"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=22629"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22629\/revisions"}],"predecessor-version":[{"id":25206,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/22629\/revisions\/25206"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=22629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=22629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=22629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}