In my latest exploration into Atlassian Companion, an application for editing Confluence files through desktop applications, I discovered a new remote code execution vulnerability affecting all macOS users.
This exploration was sparked by Wojciech Reguła's informative blog, which highlighted a RCE vulnerability arising from the absence of `.class` files in the app's extensive blocklist of over 350 extensions.
Atlassian's decision not to add the quarantine attribute to files downloaded via the Companion app might be driven by a focus on user convenience, as the quarantine attribute can cause additional steps for users to access their downloaded files.
This class orchestrates all the main functionality, including downloading and storing files and determining which files to block.
The blocklist for macOS integrates several risk categories plus an optional environment variable, COMPANION BLOCK LIST. Notably, even though the blocklist effectively stopped dangerous files, it did so only after storing them on the user's system, which proved valuable for exploitation.
This situation differed from the one described in Reguła's blog: I could download multiple files and selectively determine the applications used to open them.
Among the many obscure file extensions I've examined, I stumbled upon `.fileloc,` a shortcut file used on macOS systems.
It acts as a reference to another file or folder, making it ideal for bypassing blocklists.
Downloading a `.class` file, which, as I mentioned earlier, gets blocked but is still stored on the user's file system, and then downloading and running a `.fileloc` that points to it will result in remote code execution.
Unlike symbolic links, the `.fileloc` file requires the absolute path to the target file, and Atlassian Companion generates a random folder inside the `~/.atlassian-companion/` path for every downloaded file.
I needed to find a way to leak both the macOS username and the folder name of the `.class` file.
This led me to an idea: when opening local HTML files, the window.
Href reflects the full file path, including the macOS username.
Putting this all together-The exploit first downloads a `.class` file, blocked by the extension validation but stored on the user's system.
We retain the folder UUID and download and execute a `.htm` file, which sends back the macOS username.
Initially, I used Automator binaries - essentially, executable files created by Automator - for their ease in quickly developing functional macOS applications.
ScriptEditor2, macOS's built-in Script Editor, could execute these Automator binaries, suggesting a new approach: change the `.class` file to a `.zip` file.
When executed, it will unzip our Automator application onto the user's file system.
Imperva responsibly disclosed both exploits to Atlassian and communicated the issues related to macOS Gatekeeper.
Notably, downloaded files still don't have the quarantine attribute, which could be useful for attackers as a way to bypass macOS Gatekeeper.
This Cyber News was published on www.imperva.com. Publication date: Fri, 15 Dec 2023 14:43:12 +0000