In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack. NIB files can be manipulated to execute arbitrary commands. Additionally, even if a NIB file is modified within an application, Gatekeeper may still permit the execution of the application, enabling the execution of arbitrary commands within the application's context.
Attackers could exploit this vulnerability to execute unauthorized commands within the Notion application, potentially compromising sensitive user data or performing malicious actions.
- First, you need create de malicious NIB
![image1](https://private-user-images.githubusercontent.com/100588945/299810902-21768f9c-f0e2-4987-b0eb-89691777ed17.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODEwOTAyLTIxNzY4ZjljLWYwZTItNDk4Ny1iMGViLTg5NjkxNzc3ZWQxNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00M2ExYzlkZjM2OTQyODliOTc4MDg2YzJmZmJlZTBlOWRmZGU4MDdjMDg2NmMzY2U0ZjUyZTZlMDAwYTIyODdlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.yL6BbFShB1fEFWV_uRHzP7Ql5c0BvedZCvz8uhseuyA)
![image2](https://private-user-images.githubusercontent.com/100588945/299811012-d5cef122-b6fa-44f5-92ad-fac6f3627b71.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODExMDEyLWQ1Y2VmMTIyLWI2ZmEtNDRmNS05MmFkLWZhYzZmMzYyN2I3MS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1hZjliNWQ0NGQwODUwOWNjMzkyYmZlNGNlYjA3NmZiZTM4YWIzOTlhYmQ5YzBiOTg1YWI4ODUxNzZiMTY4OTZmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.18AZXnsk2HdcNihsALMSv_vai9668Xk6OSAmOwBGhBk)
![image3](https://private-user-images.githubusercontent.com/100588945/299816885-d82514c8-b6bb-4a40-94eb-c47db86228f9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE2ODg1LWQ4MjUxNGM4LWI2YmItNGE0MC05NGViLWM0N2RiODYyMjhmOS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jZDc4MzRhN2JjODBjYmRmNWQyMzIwOGI2NTA2ZTJlYjZjOGM3Y2JkNjhhMTdkZTE0MGFhYjhkY2U4NGYyNjZhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.tuymUc5ClKV5uzXR5C1jiNTNL0TsogI9zXXD-g5ySKo)
![image4](https://private-user-images.githubusercontent.com/100588945/299818746-c3adaa53-547c-49d4-bdc6-27e519fe9dbd.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE4NzQ2LWMzYWRhYTUzLTU0N2MtNDlkNC1iZGM2LTI3ZTUxOWZlOWRiZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MDIxYzg4OTI3MzU0N2I4ZGE0MjA3ZTEwNGI3MzkyM2NkMWQ4MGU1NmYyYTVhMzdhY2ExMDNhMzBkZGMwNDViJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.t0uDDT5mTs27gB_wcg7OHEsolniIHhfabGMoK-QkLvk)
More details in: https://blog.xpnsec.com/dirtynib/
- Notion Application
![image6](https://private-user-images.githubusercontent.com/100588945/299819221-b6786f30-59fe-482c-827a-cde49930bc36.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE5MjIxLWI2Nzg2ZjMwLTU5ZmUtNDgyYy04MjdhLWNkZTQ5OTMwYmMzNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01YjdlOGE3MGFmMTNmNTkyNDZlOGNiZDA4NWY1OTU0YjBmYjM4MzgwYWVhNTFjYTRhOGY5NTZiMGNhOWVlYzU0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.Q2IH7vNpleI5N6LBCtqyciKayirwcUZ9kB29OAoshZ4)
![image7](https://private-user-images.githubusercontent.com/100588945/299819291-5c897fea-1271-45e2-bbe6-1bbfc4afec44.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE5MjkxLTVjODk3ZmVhLTEyNzEtNDVlMi1iYmU2LTFiYmZjNGFmZWM0NC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MWY0MmI2YjBkMWIwYmIzYTRhNjMwZjE2MzBiZWJiYjJiMzE3MmNlMGE2ODA0YmEyM2Q3NWM2ZmI2N2FjOGU3JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.yXHPSmuV9DbSNaRzldmBR8nc-ksb6z703VYquaNh3Ik)
- Copy malicious nib to app
![image8](https://private-user-images.githubusercontent.com/100588945/299819327-64f2e7c6-0d25-4bb9-877b-47a1dda0aa5d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE5MzI3LTY0ZjJlN2M2LTBkMjUtNGJiOS04NzdiLTQ3YTFkZGEwYWE1ZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02Y2NlN2JjNWNiZGNmNTE1YmY5OWY2NjExNDlhZDkyMmY1MzdmYTA4Yjk1YzZiMzNjYWRkNGU3ZWNlYWQ3NzlkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.E6WzoL2dtLv48JO55g3iYxU6MGjrGqGOYrzzMzj6PQs)
![image9](https://private-user-images.githubusercontent.com/100588945/299819342-e0cc2e78-6f55-41a9-8b91-8dfe8929aec0.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE5MzQyLWUwY2MyZTc4LTZmNTUtNDFhOS04YjkxLThkZmU4OTI5YWVjMC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZTdhNzVlZDEwMzkxYjNkZGIwY2M3MTk2NjQyZjZiMzdiN2UyNzE2ZDI4OTdiYjdjMThhOGMxNTkyZDU1OTlkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.USET7lvZRB3XSBZbY7L0M-J5s6n8hRmGZudyrdIPuX0)
- Open the malicous application
![image10](https://private-user-images.githubusercontent.com/100588945/299819362-2f5ed801-0cb5-4f0c-bb66-38e7c2f9f59f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjQxMDYsIm5iZiI6MTcyMDcyMzgwNiwicGF0aCI6Ii8xMDA1ODg5NDUvMjk5ODE5MzYyLTJmNWVkODAxLTBjYjUtNGYwYy1iYjY2LTM4ZTdjMmY5ZjU5Zi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzExJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMVQxODUwMDZaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT04M2EwODM1NGE4MzM3YzhlY2UwMTBkOTczOTU5M2JiZjRkNzM4ZGNmMWM4YzhhZmUxNTBkMzA1Y2IyYzcxMGJjJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.7PNzGqlpOI6HiwRJwYFzJ21eYybfmfXcx8xjdSgetkI)
Thanks to Giovanni Lima, Cyber Security Engineer and friend. We worked together to reproduce de Dirty Nib PoC 😎
https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib
https://www.notion.so/web-clipper