How to open and exploit .DS_Store

What are DS_Store files and why are they needed

.DS_Store are files in the Apple OS X operating system, they store user settings for a folder, such as the list of files, the location of the icons, the selected background image. The name is short for Desktop Services Store. These files are created and maintained by the Finder application in each folder and have functions similar to the desktop.ini file in Microsoft Windows. Names that begin with a period, including the .DS_Store file, are hidden in Finder and many Unix utilities. The internal structure of these files is proprietary.

.DS_Store files are of interest because they contain a list of files in the current folder. These files can be used in forensic analysis of the local system. Also, these files can be found on a server, for example, if the folder was moved in a ZIP archive from Mac machines.

Through the .DS_Store files, the contents of the files do not leak, only their names are revealed.

How to open .DS_Store files

Since the .DS_Store format is proprietary, and there are no official utilities for working with these files, the reverse engineering methods were used to analyze the structure of this file and make several tools that can extract its contents. These tools usually successfully display the names of the files contained in the .DS_Store file, but some .DS_Store files cause errors – the files may be corrupted or have some properties that are not implemented in the analysis tool.

An example program to open .DS_Store is Python-dsstore.

To install Python-dsstore on Linux:

git clone https://github.com/gehaxelt/Python-dsstore
cd Python-dsstore/

Usage:

python3 ./main.py <FILE>

Output Example:

If you do not have Linux, then you can use the .DS_Store online content viewing service. In this service it is enough to upload a file and all the names of the files that are found in it will be displayed. You can rename .DS_Store to any other name if the file with a dot at the beginning is not visible on your system. The file name does not affect the analysis results.

How to search for .DS_Store files

These files can be found using the Nikto scanner, or with typical programs for finding hidden directories and files on sites:

  • Gobuster
  • Dirbuster
  • Dirb

Most importantly, make sure their dictionaries have .DS_Store.

If you want to find .DS_Store files on any servers to try the tools, which will be described later, then you can find many such files on sites on the Internet using Google dorks:

intext:.DS_Store & intitle:index -github
intitle:"index of" intext:".ds_store"
inurl:.DS_Store intitle:index of
inurl:.DS_Store intitle:index.of

To search for these files on GitHub: https://github.com/search?q=.DS_Store&type=Commits

Exploiting Data Leaks through a .DS_Store File

If you tried the dorks given above, then you are already aware that from the computers of website developers and media providers .DS_Store files get into the directories of the web server and become publicly available. In fact, if these files can be found using Google, they are not much useful – in this case the files are located in directories without an index file (index.php, index.htm, index.html) and with permission to view the contents of the directory. That is, without the .DS_Store file, you can see what the folder contains and download it.

The following tools are primarily useful if you find a .DS_Store file, for example, using Nikto and the directories are closed for viewing. In this case, using .DS_Store and the tools described below, you can download files whose existence was previously unknown.

I will talk about two tools at once, which, using the .DS_Store found on the server, look for other files.

The first such tool is ds_store_exp. It downloads the .DS_Store file, extracts the file names from it, and constructs new links for downloading the mentioned files. When saving files, the directory structure of the remote server is reproduced.

To install ds_store_exp on Linux, do:

git clone https://github.com/lijiejie/ds_store_exp
cd ds_store_exp
sudo pip2 install -r requirements.txt

To analyze which files and directories are referenced in the .DS_Store file located at https://www.digitalrepublik.com/assets/img/.DS_Store:

python2 ./ds_store_exp.py https://www.digitalrepublik.com/assets/img/.DS_Store

To view downloaded files and the structure of detected directories:

tree www.digitalrepublik.com/

In some cases, for example:

sudo python2 ./ds_store_exp.py https://www.le-pam.fr/images/.DS_Store

The program will fail:

[200] https://www.le-pam.fr/images/.DS_Store
[!] Unable to read 1024 bytes in block

The essence of the problem is that it is not possible to read the contents of .DS_Store – either due to the fact that the file is damaged, or due to shortcomings of tools created on the basis of reverse engineering.

The second script is called DS_Store_crawler_parser. It downloads the .DS_Store file and checks the availability of the files mentioned in it, but does not download the files themselves.

To install DS_Store_crawler_parser on Kali Linux:

git clone https://github.com/anantshri/DS_Store_crawler_parser
cd DS_Store_crawler_parser
sudo pip3 install -r requirements.txt
python3 ./dsstore_crawler.py -h

To install DS_Store_crawler_parser in BlackArch:

sudo pacman -S dsstore-crawler
sudo sed -i 's/is not/!=/g' /usr/share/dsstore-crawler/dsstore_crawler.py

To launch the script, you should know about a couple issues. Firstly, you need to use the -i option:

python3 ./dsstore_crawler.py -i https://www.digitalrepublik.com/assets/img/

Secondly, pay attention to how we specified the URL: for the script to work, specify the URL to the folder where the .DS_store file is located, and not the full path to this file.

Recommended for you:

Leave a Reply

Your email address will not be published. Required fields are marked *