Employees who receive external e-mails typically receive information about which files are potentially dangerous. For example, EXE files are considered unsafe by default, as are DOCX and XLSX files, which can contain malicious macros. Text files, on the other hand, are generally considered harmless by design, because they cannot contain anything other than plain text. But that isn’t always the case.
Researchers found a way to exploit a vulnerability (now patched) in the format, and they could find more. The file format isn’t actually the problem; it’s the way programs handle TXTs.
macOS’s CVE-2019-8761 vulnerability
Researcher Paulos Yibelo highlighted a curious way of attacking macOS computers through text files. Like many other protective solutions, macOS’s built-in security system, Gatekeeper, views text files as completely trustworthy. Users can download and open them using the built-in editor TextEdit without additional checks.
However, TextEdit is somewhat more sophisticated than Microsoft Windows’ Notepad. It can do more stuff, such as display text in bold, let users change the font color, and more. Because the TXT format is not designed to store style information, TextEdit takes on the additional technical information so it can handle the task. For example, if a file starts with the line <!DOCTYPE HTML><html><head></head><body>, TextEdit begins to handle HTML tags, even in a file with a .txt extension.
Essentially, writing HTML code into a text file that starts with that line forces TextEdit to process the code, or at least some elements of it.
Attacks possible through text files
After carefully examining all possibilities available to a potential attacker using this method, Yibelo found that the vulnerability enables:
- DoS attacks. Gatekeeper does not prevent the opening of local files from an object with the TXT extension. Therefore, opening a malicious text file can overload a computer, for example, using the HTML code to access the /dev/zero file, an endless source of null characters.
- Identifying a user’s real IP address. Code in the text file can call AutoFS, a standard program for mounting file systems, which can provide access to an external drive. Although that action is harmless on its own, because the automatic mounting process forces the system kernel to send a TCP request, even if the user is behind a proxy server, the creator of the malicious text file can find out the exact time it was opened and register the real IP address.
- File theft. Entire files can be inserted into a text document containing the <iframedoc> Therefore, the malicious text file can gain access to any file on the victim’s computer and then transfer its contents using a dangling markup attack. The user just has to open the file.
How to stay safe
A 2020 update patched the CVE-2019-8761 vulnerability, but that’s no guarantee no TXT-related bugs lurk in the software. There could be others that no one has worked out how to exploit — yet. So, the correct answer to the question “Is this text file safe?” is something like: “Yes, for now. But stay vigilant.”
Therefore, we recommend training all employees to treat any file as a potential threat, even if it looks like a harmless text file.
Regardless, handing control of all the company’s outgoing information flows to an internal or external SOC makes sense.