Mikko Kenttala, founder and CEO of SensorFu found a zero-click vulnerability in Apple Mail, which allowed to add or modify any arbitrary file inside Mail’s sandbox environment.
This could lead to many bad things including unauthorized disclosure of sensitive information to a third party.
An attacker can modify the victim’s Mail configuration including mail redirects which enables the takeover of the victim’s other accounts via password resets.
This vulnerability can be used to change the victim’s configuration so that victims will be propagating the attack to their correspondents in a worm-like fashion.
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra. Processing a maliciously crafted email may lead to writing arbitrary files.
The researcher said he discovered the bug (CVE-2020-9922) by sending test messages and following Mail process syscalls.
He found that “mail has a feature which enables it to automatically uncompress attachments which have been automatically compressed by another Mail user,” he explained.
“In the valid use case, if the user creates email and adds the folder as an attachment it will be automatically compressed with ZIP and x-mac-auto-archive=yes; is added to the MIME headers. When another Mail user receives this email, compressed attachment data is automatically uncompressed.”
An attacker sends an email to exploit that includes two zip files as attachments to the victim. Immediately when the user receives the email, Mail will parse it to find out any attachments with x-mac-auto-archive=yes header in place. Mail will uncompress those files automatically.
This arbitrary write access allows the attacker to manipulate all of the files. This will lead to the exposure of sensitive data to a third party through manipulating the Mail application’s configuration.
One of the available configuration options is the user’s signature which could be used to make this vulnerability wormable. The researcher says there is also a chance that this could lead to a remote code execution (RCE) vulnerability.