Full Report
macOS calendar is paired with all of the other macOS services like Mail. The author found a bug in it to get RCE, which is terrifying. They don't just show the bug - they show how to get steal photos too! Calendar invites can have attachments. When the name is used as part of a path, it not sanitized. This gives us a classic directory traversal, which I cannot believe actually happened in something this important. This gives us an arbitrary file write or an arbitrary file delete if the event/attachment is deleted. Gaining RCE from this was not an easy task and required writing many files and using the Open File functionality of Calendar. First, they create a calendar entry that has Siri Suggested content. This will open other injected files in the future. The next attachment coverts old calendar formats to the new format to make sure this attack will work. The next attachment is a .dmg file. This dmg contains a background image that points to an external samba server. For whatever reason, even though this has the quarantine flag, it will not be subject to quarantine. The next injected file is used to open a URL a URL triggered from the mounted samba mount from before to open an app. Finder will attempt to open this application, indexing the file and registering a custom URL type. The final file (triggered by the Siri events mentioned before) will open the custom URL that was just registered. When this URL is opened, it will execute the binary! This is possible because the quarantine flag is not set on the samba loaded file, for whatever reason. When the file is executed, it pops a shell or does something more interesting like stealing photos... TCC in macOS should prevent access to photos. However, they found a clever trick to steal them anyway. By abusing the RCE, the configurations of Photos can be changed to control the iCloud settings. This allows them to control the location where the files are downloaded to! When the sync happens, they can recover the sensitive files. An amazing blog post! Many of the techniques for taking this to zero click RCE were interesting and specific to macOS, which probably took a lot of reverse engineering. Using the Siri autoloading to open links, Samba downloaded links not being quarantined, and the forcing the indexing of the custom URI were all awesome finds. The bug was simple but the exploitation was not!
Analysis Summary
# Vulnerability: Zero-Click macOS Calendar Directory Traversal and RCE Chain
## CVE Details
- **CVE ID:** CVE-2022-46723
- **CVSS Score:** 9.8 (Critical) - *Estimated based on Zero-Click RCE impact*
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
## Affected Systems
- **Products:** Apple macOS
- **Versions:** Confirmed on macOS Monterey 12.5 and earlier.
- **Configurations:** Systems where the Calendar app is synced with external services (like iCloud or Mail) that can receive unsolicited invitations.
## Vulnerability Description
The core vulnerability is a classic directory traversal flaw within the macOS Calendar application's attachment handling. When a calendar invite is received, it can include attachments via the `ATTACH` section of the ICS file. The application fails to sanitize the `FILENAME` parameter. An attacker can use `../` sequences to escape the intended attachment directory (`~/Library/Calendar/[CalendarID]/Attachments/`) and write files to arbitrary locations within the Calendar sandbox (e.g., `~/Library/Calendar/`). Additionally, deleting the malicious event triggers an arbitrary file delete of the target path.
## Exploitation
- **Status:** PoC described in detail; vulnerability was patched by Apple.
- **Complexity:** High (Requires a multi-stage chain to bypass Gatekeeper and TCC).
- **Attack Vector:** Network (Zero-click via a malicious calendar invitation).
### Exploitation Chain Summary:
1. **File Injection:** Use the traversal bug to drop five specific files into the Calendar directory.
2. **Siri Suggestions:** Leverage a "Siri Suggested" calendar file to trigger automated alerts.
3. **Quarantine Bypass:** Open a `.dmg` with a `.DS_Store` pointing to an external Samba server. macOS fails to apply the quarantine flag to mounts from this specific SMB context.
4. **Indexing/URI Registration:** Use a `.url` file to point to an app on the SMB share. Finder indexes the app, registering a custom URL scheme (e.g., `mymiditest://`).
5. **Execution:** A final triggered alert opens the custom URI, executing the non-quarantined binary from the SMB share, achieving RCE.
6. **TCC Bypass:** Post-exploitation, the attacker modifies Photos configurations to redirect the iCloud download location, allowing the theft of synced photos.
## Impact
- **Confidentiality:** High (Access to private photos, iCloud data, and sandbox-protected files).
- **Integrity:** High (Arbitrary file write/delete and execution of malicious binaries).
- **Availability:** High (Ability to delete critical calendar databases or system-level user files).
## Remediation
### Patches
- Apple released fixes for this chain between **October 2022 and September 2023**.
- Users should ensure they are running **macOS Ventura 13.0** or later, where the traversal was initially mitigated.
### Workarounds
- Disable "Automatically retrieve invitations from Mail" in Calendar settings.
- Avoid using "Siri Suggestions" for Calendar.
- Restrict outbound SMB traffic to prevent mounting of rogue external shares.
## Detection
- **Indicators of Compromise:**
- Unexpected `.calendar`, `.dmg`, or `.url` files appearing in `~/Library/Calendars/`.
- Unusual Samba (SMB) connections to unknown external IP addresses.
- Calendar events containing suspicious attachment strings like `FILENAME=../../../`.
- **Detection Methods:** Monitor for file system events in the Calendar library path and inspect `Info.plist` registrations for unauthorized custom URL schemes.
## References
- **Vendor Advisory:** Apple Security Updates (October 2022 - September 2023)
- **Technical Blog:** hxxps[://]mikko-kenttala[.]medium[.]com/zero-click-calendar-invite-critical-zero-click-vulnerability-chain-in-macos-a7a434fc887b
- **Video Presentation:** hxxps[://]www[.]youtube[.]com/watch?v=9NlQXLLQrvk