Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOSs brand name security protections and ultimately compromise victims iCloud data.
The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kenttälä discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data — in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither
Apples Gatekeeper
nor
Transparency, Consent, and Control (TCC)
protections could stop it.
The all-important first bug in the chain — CVE-2022-46723 — was awarded a critical 9.8 out of 10 CVSS score back in February 2023.
It wasnt just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.
For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.
More dangerous was the potential for an attacker to perform
path traversal
, naming their attachment in such a way that would allow it to escape the Calendars sandbox, where attached files are supposed to be saved, to other locations on the system.
Kenttälä used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.
The malicious app snuck in without raising any alarm, thanks to a bypass in macOSs Gatekeeper security feature — the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.
Gatekeeper, though, wasnt the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kenttälä successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps dont improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 — with a low 3.3 CVSS severity score — opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with trivial modifications.
MacOSs Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data, explains Callie Guenther, senior manager of cyber threat research for Critical Start. However, the
zero-click vulnerability
in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes. Guenther notes, though, that macOS isnt uniquely vulnerable to these types of attacks: Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities.
For example, she adds, Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries — especially APT groups — find ways to bypass these defenses.
Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.
Dont miss the latest
Dark Reading Confidential podcast
, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs.

Listen now!

Last News
▸ Protecting the end system from cyber threats ◂ Discovered: 26/12/2024 Category: security	▸ Tackling The TDoS Threat. ◂ Discovered: 26/12/2024 Category: security	▸ Ruby On Rails Under Attack ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data