Using quickLook daemon as attack vector on MacOSX

In apple developer documentation says:

You can store a Quick Look generator in an application bundle (in or in one of the standard file-system locations:
  • ~/Library/QuickLook—third party generators, accessible only to logged-in user
  • /Library/QuickLook—third party generators, accessible to all users of the system
  • /System/Library/QuickLook—Apple-provided generators, accessible to all users of the system

QuickLook search for plugins in HOME directory (full access from user) and have a mecansims for overwrite the overlpapped plugins (if two pluggins manage the same filetype, the last found is in fact the thumb generator)

This is an easy to use attack vector for malware, saving their code in a quicklook plugin instead of classic  application.

Finder uses quicklook for icons with function GenerateThumbnailForURL this is an interesting thing to access trasnparently to files of all hard disk, expanding the malware infection...

OSStatus GenerateThumbnailForURL(void *thisInterface, QLThumbnailRequestRef thumbnail, CFURLRef url, CFStringRef contentTypeUTI, CFDictionaryRef options, CGSize maxSize)
FILE * descriptor = NULL;
char * file = "/tmp/thumbnail.txt";
char * hello = "Hello from the GenerateThumbnailForURL";
descriptor = fopen(file, "w");
fwrite(hello, strlen(hello), 1, descriptor);
    return noErr;

Modify the .plist and add the Document type public.plain-text for plain-text preview handling

Simple but functional, when you try to watch a text file, an absurd file is created in /tmp/ directory.

Reference: apple developer documentation of quickLook

Posted at BinaryCell


Popular Posts