You Have One New Appwntment - Hacking Proprietary iCalendar Properties

Presented at DEF CON 30 (2022), Aug. 13, 2022, 3 p.m. (45 minutes).

First defined in 1998, the iCalendar standard remains ubiquitous in enterprise software. However, it did not account for modern security concerns and allowed vendors to create proprietary extensions that expanded the attack surface.

I demonstrate how flawed RFC implementations led to new vulnerabilities in popular applications such as Apple Calendar, Google Calendar, Microsoft Outlook, and VMware Boxer. Attackers can trigger exploits remotely with zero user interaction due to automatic parsing of event invitations. Some of these zombie properties were abandoned years ago for their obvious security problems but continue to pop up in legacy code.

Furthermore, I explain how iCalendar’s integrations with the SMTP and CalDAV protocols enable multi-stage attacks. Despite attempts to secure these technologies separately, the interactions that arise from features such as emailed event reminders require a full-stack approach to calendar security. I conclude that developers should strengthen existing iCalendar standards in terms of design and implementation.

I advocate for an open-source and open-standards approach to secure iCalendar rather than proprietary fragmentation. I will release a database of proprietary iCalendar properties and a technical whitepaper.

Presenters:

• Eugene Lim - Cybersecurity Specialist, Government Technology Agency of Singapore
  Eugene (spaceraccoon) hacks for good! At GovTech Singapore, he protects citizen data and government systems through security research. He also develops SecOps integrations to secure code at scale. He recently reported remote code execution vulnerabilities in Microsoft Office and Apache OpenOffice and discussed defensive coding techniques he observed from hacking Synology Network Attached Storage devices at ShmooCon. As a bug hunter, he helps secure products globally, from Amazon to Zendesk. In 2021, he was selected from a pool of 1 million registered hackers for HackerOne's H1-Elite Hall of Fame. Besides bug hunting, he builds security tools, including a malicious npm package scanner and a social engineering honeypot that were presented at Black Hat Arsenal. He writes about his research on https://spaceraccoon.dev. He enjoys tinkering with new technologies. He presented "Hacking Humans with AI as a Service" at DEF CON 29 and attended IBM's Qiskit Global Quantum Machine Learning Summer School.

Links:

• https://forum.defcon.org/node/241931
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Eugene Lim - You Have 1 New Appwntment - Hacking Proprietary iCalendar Properties.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Eugene Lim - You Have 1 New Appwntment - Hacking Proprietary iCalendar Properties.srt (subtitles)
• https://www.youtube.com/watch?v=2q-E2AKUxJ4