A critical zero-click vulnerability was discovered in macOS Calendar that enabled attackers to manipulate files within the application’s sandbox. By exploiting this flaw, malicious actors could create or remove arbitrary files, potentially leading to the execution of harmful code.
This vulnerability posed a significant threat to user security, as it could be combined with other vulnerabilities, such as the one in Photos, to compromise sensitive iCloud Photos data, while Apple has addressed these security issues through updates released between October 2022 and September 2023.
The calendar invite vulnerability CVE-2022-46723 allows attackers to write and delete arbitrary files on a victim’s macOS device. By crafting a malicious calendar invite with a carefully crafted filename, attackers can exploit a flaw in the filename sanitization process to save files to arbitrary locations outside of the intended directory.
It can lead to the creation of new files, the deletion of existing files, and potential further attacks. The vulnerability was present in macOS Monterey 12.5 but has been patched in macOS Ventura 13.0.
The exploit leverages a previously discovered arbitrary file write vulnerability to gain remote code execution on macOS Ventura. By injecting three files into the calendar, the attacker can trigger a chain reaction that leads to the execution of malicious code.
The first file contains a calendar event with an alert that opens the second file, which initiates the migration of existing calendars, while the third file, a disk image, is automatically mounted and opened when the alert is triggered.
According to Mikko, this disk image contains a reference to a malicious file on an external Samba server, which is executed without being quarantined, granting the attacker remote code execution.
An attacker is exploiting a series of files and a mounted Samba share to launch a malicious application without user interaction. The attack chain starts with calendar alerts opening files, which trigger the mounting of a Samba share and reference a URL within the mounted volume.
It exploits the fact that the application within the mounted share lacks a quarantine flag, allowing it to register a custom URL handler. Finally, a subsequent calendar alert containing a URL with this custom scheme launches the malicious application.
By manipulating Photos’ configuration, the exploit redirects the System Photo Library to a location that bypasses TCC’s protection, which allows the attacker to access private pictures stored on iCloud, despite the intended restrictions designed to safeguard user privacy.
An attacker can exploit the Photos application by creating a configuration file to point Photos to a malicious library (/var/tmp/mypictures/Syndication.photoslibrary), which is imported using the “defaults import” command.
When Photos is launched with this configuration, iCloud sync will be enabled and the user’s original photos will be downloaded to an unprotected directory (/var/tmp/PoCLoot$RANDOM/). The attacker can then steal this data or upload it to external servers.
A critical arbitrary file write and delete vulnerability in the Calendar sandbox was reported in August 2022. Although fixed in October, researchers later demonstrated its potential for gatekeeper evasion and iCloud photo access. Despite multiple fixes and credits for related vulnerabilities, a bounty for the original Calendar vulnerability remains unclaimed.