![]() It couldn’t be easier, you go download Patrick’s DHS tool, run the scan and wait. In its logic this is similar to classic DLL hijacking on Windows. Developers can specify multiple search paths, and in case the first or first couple doesn’t exists, you can place your malicious dylib there, as the loader will search through these paths in sequential order. It’s useful if you don’t know where your app will end up after installation. ![]() rpath (run-path dependent) dylibs - in this case the dylibs are referenced with the prefix, which will point to the current running location of the mach-o file, and will try to find the dylibs based on this search path.So if there is an app that refers to a dylib with this method and that is not present, you can go ahead place yours there and profit. weak loading of dylibs - in this case the OS will use the LC_LOAD_WEAK_DYLIB function, and if the dylib is not found the application will still run and won’t error out.I would go for the talk, as he is a great presenter, and will explain the subject in a very user friendly way, so you will understand all the details.īut just to sum it up here, in very short, there are 2 type of dylib hijackings possible: Virus Bulletin :: Dylib hijacking on OS XĭEF CON 23 - Patrick Wardle - DLL Hijacking on OS X - YouTube If you are not familiar with dylib hijacking on macOS, read Patrick Wardle’s great writeup: Well, I didn’t find any in that app, but found plenty in many others. ![]() This entire story started with me trying to find dylib hijacking vulnerability in a specific application, which I can’t name here. Getting root with benign app store apps DYLIB Hijacking on macOS If you prefer to watch this as a talk, you can se it here:Ĭsaba Fitzl - macOS: Gaining root with Harmless AppStore Apps - SecurityFest 2019 - YouTube I also want to show, tell about all the obstacles and failures I run into, stuff that people don’t talk about usually, but I feel it’s part of the process all of us go through, when we try to create something. I would like to show how I went down the rabbit hole in a quick ’research’ I wanted to do, and eventually found a local privilege escalation vulnerability in macOS. ![]() This writeup is intended to be a bit of storytelling.
0 Comments
Leave a Reply. |