top | item 26678124

(no title)

slrz | 4 years ago

I don't think this is doing any HTTP. Autofs is generally used to mount remote file systems like NFS shares.

It's pretty common on Unix-like systems (especially in multi-user environments) and not at all specific to macOS.

References:

https://wiki.archlinux.org/index.php/autofs

https://www.freebsd.org/cgi/man.cgi?query=autofs&sektion=5

https://access.redhat.com/documentation/en-us/red_hat_enterp...

discuss

jrochkind1|4 years ago

The only thing I know about this is what I learned from the OP reporting the vulnerability. Maybe I was mistaken the request was HTTP? Anyway, rest applies, assuming the article is correct in describing the nature of the vulnerability.

Anyway, if this is how TextEdit got around macos access controls related to network activity, I wonder if this is a route for other apps, including malicious ones, to get around it too?

> After digging into OSX internals, I came across the AutoMount feature that lets file:/// urls make remote requests. AutoFS is a program on OSX that uses the kernel to make a mounting request to a drive. Automount can also make remote requests to an external drive. Doing 'ls /net/EXAMPLE.com' forces OSX send a remote request to EXAMPLE.com

> While they did a good job blocking TextEdit from making external requests, this was the one thing they forgot when they allowed file:/// scheme, on OSX file:///net/11.22.33.44/a.css connects to 11.22.33.44.