Vendor: Apple Vendor URL: https://www.apple.com/ Versions affected: xar 1.8-dev Systems Affected: macOS versions below 12.0.1 Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://support.apple.com/en-gb/HT212869 CVE Identifier: CVE-2021-30833 Risk: 5.0 Medium CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N Summary XAR is a file archive format used in macOS, and is part of various file formats, including .xar, .pkg, .safariextz, and .xip files. XAR archives … Continue reading Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.
Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s macOS system, all the victim has to do is click on an invite.
This post explores the potential abuse of some features within the macOS Calendar application. It covers multiple attack paths that could lead to code execution and discusses the protections Apple has in place to mitigate them.