Introduction

Banana Mail is a zero-click remote persistent denial-of-service (DoS) attack targeting Apple’s macOS operating system. This attack allows an attacker to remotely render the victim’s macOS device unresponsive by simply sending a crafted S/MIME email—without requiring any user interaction or drawing the victim’s attention. The attack exploits vulnerabilities in macOS’s X.509 certificate validation implementation and leverages a chain of system-level features and mechanisms inherent to macOS. Notably, the exploit achieves remote and silent execution, with malicious payloads persisting within the victim’s system even after device reboots. This persistence ensures continued DoS attack towards the victim.

Paper

The content related to Banana Mail can mainly be found in section 7.3.2 of the paper:

• Bing Shi, Wenchao Li, Yuchen Wang, Xiaolong Bai, and Luyi Xing. X.509DoS: Exploiting and Detecting Denial-of-Service Vulnerabilities in Cryptographic Libraries using Crafted X.509 Certificates. In 34th USENIX Security Symposium (USENIX Security 25)

Demo Videos

• The demonstration video of the experiment on macOS based on S/MIME email

Q & A

Q. What is Banana Mail attack?

A. Banana Mail is a zero-click remote persistent DoS attack targeting Apple's macOS operating system via S/MIME Email with crafted X.509 certificates. This attack exploited vulnerabilities in macOS's implementation of certificate handling, leveraging a series of features and mechanisms within macOS to remotely and silently trigger the vulnerabilities via S/MIME emails. This results in the victim's macOS becoming incapacitated, with the impact persisting even after a device reboot.

Q. What is the relationship between Banana Mail and X.509DoS?

A. The Banana Mail attack can be viewed as a concrete instance on macOS of the second threat model—application signature verification—proposed in our X.509DoS paper. Due to its novel and representative nature, we designate it as a standalone attack.

Q. How are the three characteristics — remote, zero-click, and persistent — reflected in this attack?

A. The three characteristics of this attack are reflected as follows:

• Remote: the attack is launched by remotely sending an email to the recipient (i.e., the victim).

• 0-click: Apple Mail automatically adds the crafted certificate chain of to the Keychain without asking for permission or notifying the recipient.

• Persistent: the email and certificates are persistently stored in the victim’s Mail and Keychain, causing the DoS attack to automatically recur when macOS restores previously opened apps after a reboot. Furthermore, if the user’s macOS is enrolled in an enterprise MDM (Mobile Device Management) project, the persistent attack recurs before the system restores previously opened apps as the MDM-related system process, mdmclient, requests the system to iterate all certificates, including the crafted one, in the Keychain immediately after the user logs in.

Q. What vulnerabilities could potentially be exploited to launch Banana Mail attacks?

A. Theoretically, any certificate that can trigger resource exhaustion in trustd during the certificate validation process can be used to launch this attack. Some typical vulnerabilities are discussed in section 5.3 of the X.509DoS paper.

Q. How to defend against this attack?

A. If you are an Apple Mail user, the most effective mitigation is to promptly upgrade to the latest version of macOS. If you have unfortunately already been compromised by this attack, do not attempt to remove the malicious certificate via the graphical Keychain interface, as this action may retrigger the exploit. The currently known feasible method (with a certain probability of success) is to reboot the system and, during the narrow window before the system becomes unresponsive, quickly use Apple's security command-line tool to delete the malicious certificate.

Contact

• Bing Shi: roadicing@protonmail.com