Path traversal in filename in LINE Mac client

Initially, @hackerontwowheels and @renekroka discovered that by using a path traversal payload combined with `#` to block out the file extension, arbitrary, pre-installed applications could be executed. It was not possible to provide additional arguments to these applications, however. The payload used for OS X Yosemite was: `..%2f..%2f..%2f..%2f..%2f..%2f..%2fApplications%2fCalculator.app#.zip`, which would execute the calculator app. Running commands with parameters, was not possible (Example: `/Applications/iTerm.app ls -al`). Afterwards, the reporters also identified an issue where they could achieve code execution, given that gatekeeper was disabled, by chaining the upload of an executable file through "Keep" (a file storage service in the LINE App), then trigger the execution using the previous path traversal vulnerability. The filetype had to be a .terminal file, due to it not being on the blacklist, as Keep normally filters executables and restricts sharing of these types of files in order to avoid this type of issue. The complete chain looked like this: 1. Upload malicious .terminal file to Keep 2. Share .terminal file with victim from Keep 3. Victim downloads shared file 4. Send malicious .zip file with path traversal vulnerability 5. Victim clicks .zip file 6. Code is executed (if Gatekeeper is turned off)