miércoles, 24 de mayo de 2017

Nylas Mail Command Injection on macOS


Hello!

Today I am going to talk about a vulnerability I found on Nylas Mail (https://nylas.com/nylas-mail/), an open source mail client.

The vulnerability allows to any malicious user to run any OS command in the victim's computer by sending a special file in the attachments. The name of the attached file should be something like:
$(ls).

This vulnerability can be found in the source code in the following line: https://github.com/nylas/nylas-mail/blob/8499eb51b3bf07096a37a368b37074de909d1a54/packages/client-app/src/flux/stores/file-download-store.es6#L327 , and as you can see, is related to the thumbails preview feature in macOS. Nylas downloads the attachment and use 'qlmanage' to create a preview of the file.

The problem is present in the "escapedPath" variable. As you can see, it comes from:

const filePath = this.pathForFile(file) // (https://github.com/nylas/nylas-mail/blob/8499eb51b3bf07096a37a368b37074de909d1a54/packages/client-app/src/flux/stores/file-download-store.es6#L311)

The "pathForFile" function uses the filename by using the function "safeDisplayName" (https://github.com/nylas/nylas-mail/blob/8499eb51b3bf07096a37a368b37074de909d1a54/packages/client-app/src/flux/models/file.es6#L73), which is not safe because it doesn’t escape correctly the filename in order to avoid shell command injection.

The filename is very limited in order to exploit the vulnerability, so we can use multiple attachments in order to create a full exploit for this vulnerability. To do that, we send two files:

File 1. Called pwn.pdf. It is used to contain the code/commands we want to execute because we cannot use the file name in order to execute any code (it is just a shell script). In the PoC video, this file contains the following content (just to open the calculator):
open /Applications/Calculator.app/

File 2. This file exploits the vulnerability and executes pwn.pdf. The file name used is:
z$(sleep 5;for f in $(find $HOME$PWD.nylas-mail -name pwn.pdf); do sh $f; done).pdf

With this name, we wait five seconds to ensure that pwn.pdf is downloaded, and then we try to find the file in order to execute it, because each attachment is downloaded in ~/.nylas-mail/[random_folder_name]/attachment_name. Since we cannot use "/" in our filename, we use the $PWN environment var which should be "/". If it isn’t we could use “.” instead of $HOME$PWD.nylas-mail. The execution is much more slow, but it will be finally executed. If we use “.”, the filename should be:
z$(sleep 5;for f in $(find . -name pwn.pdf); do sh $f; done)

The PoC video:





This vulnerability has been reported and fixed on version 2.0.32, which was released a few weeks ago.

I hope you liked this blog post!
See you in the next post, which will be about a few vulnerabilities I discovered in some IoT devices and their remote control apps :P