How the Attack Works
A critical security flaw in ExifTool, a widely used open-source utility for reading and editing file metadata, puts macOS users at risk. Discovered by Kaspersky’s research team, the vulnerability allows attackers to execute arbitrary shell commands by embedding malicious instructions within an image file’s metadata. The issue lies in how ExifTool processes file creation dates on macOS. When the tool handles certain metadata tags related to file creation dates, it passes user-supplied data directly to a system command without proper sanitization. This allows an attacker to break out of the intended command structure by injecting special characters like single quotes.
Exploitation and Impact
To exploit the flaw, attackers must bypass a built-in filter that rejects malformed date values. They do this by using a command line flag that forces ExifTool to accept raw, unformatted machine-readable data. The actual exploitation involves a two-step process. First, the attacker injects a malicious payload into a source metadata tag, such as the date and time the image was originally created. Then, they use ExifTool’s metadata copying feature to move that tainted data into the file creation date field. During this copy operation, the unsanitized data reaches the vulnerable code path and triggers execution of the attacker’s commands. A single malicious image opened with ExifTool can silently deploy Trojans, steal data, or give attackers a foothold to move across a network.
Source: Cyber Security News
