There’s a common attack on Windows systems that uses Windows XP’s known-filetype-hiding “feature” (if such it can be called).
By default, the last extension of the filename is hidden, so that
example.doc is shown as just
example. Nefarious people have exploited this to mask programs as documents: a file called
example.doc.exe is displayed as
example.doc and looks innocuous to an unsuspecting user—ideal for virus propagation, for example.
Unfortunately, it turns out that something similar is possible on OS X, too.
OS X uses application bundles, which are really just specially-organised directories. By giving a directory the extension
.app, OS X will handle it as an application, and run the code inside the bundle when it’s double-clicked. Significantly, the Finder hides the
.app extension for applications.
The obvious exploit is to give your application two extensions, in the hope that it will display only the first.
Nope. Apple have considered that. The Finder recognises the potential trap.
example.jpg.app is displayed with its full name, including the
However, there is a way around this. Unicode contains several characters that look like periods, but aren’t really. By using one of those instead of the first dot, one can fool the OS into thinking that it’s just a normal application.
I have created a proof-of-concept. It looks like a file named
monkey.jpg. The application icon is a thumbnail image of a monkey. When run, it opens an image of a monkey, called
monkey.jpg, in the Preview application—exactly as a normal JPEG would have done, in order to avoid alerting the user to anything untoward. It then executes some code in the background. In this case, all the code does is to write a file to the desktop,
pwned!.txt, explaining what just happened.
This problem is not as critical as its Windows equivalent because OS X application bundles can’t be transferred as-is in a single file or by email. This makes spreading a lot harder. The bundle must be archived—I have used a Zip archive for this demonstration; a disk image file would also work, but is less credible.
At the same time, however, the absence of exploited vulnerabilities on OS X has led to complacency and poor security practices among users. OS X users are, perhaps, less likely to be suspicious of unknown files than Windows users must be.
OS X displays some image information in blue under the file name for a genuine image file; for the trojan application, there is no such information. In practice, I suspect that most users wouldn’t notice. It also doesn’t help at all in the case of other types of file for which no information is displayed.
2005-09-10 01:12 UTC. Comments: 1.