Critical Zero-Click macOS Vulnerability Chain Exposes iCloud Photos
On August 8, 2022, security researcher Mikko Kenttälä uncovered a zero-click vulnerability in macOS Calendar, which allowed attackers to manipulate calendar invites to perform arbitrary file write and delete operations within the system. This vulnerability
Introduction
On August 8, 2022, security researcher Mikko Kenttälä uncovered a zero-click vulnerability in macOS Calendar, which allowed attackers to manipulate calendar invites to perform arbitrary file write and delete operations within the system. This vulnerability, which persisted through several macOS versions, eventually led to remote code execution (RCE) and unauthorized access to iCloud Photos. Apple addressed these vulnerabilities in multiple patches between October 2022 and September 2023.
Report Overview
The vulnerability was first reported by Mikko Kenttälä in August 2022. He discovered that malicious calendar invites could exploit a directory traversal flaw in macOS, which enabled attackers to manipulate calendar attachments. Through this flaw, attackers could bypass certain sandbox restrictions, placing files in unintended locations and eventually escalating the attack to gain full control of the system. This flaw persisted across macOS Monterey and early Ventura betas.
Phase 1: Arbitrary File Write and Delete Vulnerability (CVE-2022-46723)
The initial flaw allowed attackers to send crafted calendar invites with improperly sanitized file attachments. By exploiting a directory traversal vulnerability, attackers could direct a file, such as “PoC.txt,” to be written or deleted outside the intended Calendar attachment folder, affecting other parts of the system. The attack was successful on macOS Monterey 12.5 but appeared to be mitigated in macOS Ventura beta 4.
Phase 2: Leveraging Arbitrary File Write to Achieve Remote Code Execution (RCE)
Once the file write vulnerability was exploited, attackers could inject malicious files, including calendar events and configuration files, into the system. When the system upgraded from Monterey to Ventura, these files triggered RCE by opening a file embedded in the malicious calendar invite. Files such as “CalPoCInit.dmg” and “stage1.url” worked in tandem to mount a malicious disk image and execute a payload via Finder.
Phase 3: Accessing iCloud Photos
The final phase of the exploit chain targeted macOS's Photos app. By modifying the System Photo Library configuration, attackers gained access to sensitive user data stored in iCloud. This was accomplished by redirecting the Photos app to a non-TCC-protected directory, allowing the extraction of synchronized iCloud photos to a vulnerable location on the local file system. These files could then be exfiltrated using simple commands like curl.
The vulnerability chain, once fully exploited, could grant attackers access to users' private iCloud Photos without any user interaction, making it a critical threat. Sensitive photos could be copied, modified, or deleted, and the attack could bypass macOS protections such as Gatekeeper and Transparency, Consent, and Control (TCC). All macOS users with affected versions were vulnerable to these exploits, and the potential for large-scale data breaches was significant.
Insights and Analysis
According to Kenttälä, “Before the fixes were implemented, I could send malicious calendar invitations to any Apple iCloud user and steal their iCloud Photos without any user interaction.” His findings highlighted the importance of addressing zero-click vulnerabilities, especially those involving widely used apps like Calendar and Photos.
Users should ensure that their macOS systems are up to date with the latest security patches. Apple has fixed these vulnerabilities in macOS Monterey 12.6.1, Ventura 13.3, and subsequent updates. Users are advised to review and verify any calendar invites received, especially from unknown sources.
This zero-click vulnerability chain is a stark reminder of the risks associated with overlooked security flaws in commonly used applications. Although Apple has issued fixes, the long duration in which this vulnerability existed highlights the need for ongoing vigilance in cybersecurity.
Indicators of Compromise (IOCs)
No specific Indicators of Compromise (IOCs) were provided in the source material.
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing via Service | T1566.002 | The malicious calendar invites could be considered a form of spearphishing delivered through the iCloud calendar service. |
| Execution | User Execution: Malicious File | T1204.002 | Execution occurred when the user’s system interacted with the calendar invite, leading to remote code execution through file manipulation. |
| Persistence | Event Triggered Execution: Calendar Event | T1546.008 | The use of calendar invites to trigger execution of malicious files is related to event-based persistence mechanisms. |
| Impact | Exfiltration Over Web Service | T1567.002 | The attacker used curl to exfiltrate iCloud photos to an external server, fitting the technique of exfiltrating data over a web service. |
References
Mikko Kenttälä
Comments ()