{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dylib-hijacking/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tresorit","MS Office 2016","Monitor.app","ProcInfoExample"],"_cs_severities":["high"],"_cs_tags":["dylib-hijacking","privilege-escalation","macos"],"_cs_type":"advisory","_cs_vendors":["Tresorit","Avira","Microsoft","Objective-See","FireEye"],"content_html":"\u003cp\u003eThis brief addresses a local privilege escalation vulnerability in macOS that leverages dylib hijacking within applications obtained from the official Mac App Store. The vulnerability allows a malicious actor to inject a dynamic library (dylib) into a legitimate application, potentially gaining elevated privileges. The attack exploits weaknesses in how macOS applications load dynamic libraries, specifically the use of weak loading and run-path dependent (rpath) dylibs. While applications dragged into the /Applications directory are typically owned by the user, applications installed from the App Store are owned by root, requiring privilege escalation to exploit. This vulnerability matters because it allows attackers to bypass intended security restrictions and gain root access, even on systems with standard security configurations. Successful exploitation enables persistence and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application using tools like Dylib Hijack Scanner (DHS), looking for apps with weak or rpath-dependent dylib loading.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the absence of library-validation option (flag=0x200) using \u003ccode\u003ecodesign\u003c/code\u003e to verify if dylib hijacking is possible.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious dylib (e.g., \u003ccode\u003ehello-tresorit.dylib\u003c/code\u003e) containing code to be executed upon loading, such as opening a Terminal or creating a syslog entry.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003egcc\u003c/code\u003e to compile the dylib. The attacker uses a tool like \u003ccode\u003ecreateHijacker.py\u003c/code\u003e to fix the dylib version and add exports from the original dylib to the malicious dylib.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability to bypass root folder permissions to copy the malicious dylib to the application\u0026rsquo;s framework directory (e.g., \u003ccode\u003e/Applications/Tresorit.app/Contents/MacOS/TresoritExtension.app/Contents/PlugIns/FinderExtension.appex/Contents/MacOS/../../../../Frameworks/UtilsMac.framework/Versions/A/UtilsMac\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker launches the targeted application, causing the malicious dylib to be loaded into the application process.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the dylib executes with the privileges of the application, potentially escalating privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or performs other malicious actions based on the gained privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete system compromise. An attacker gaining root access can install persistent backdoors, steal sensitive data, or deploy ransomware. The number of potential victims is large, as many macOS applications from the App Store are vulnerable. The affected sectors span various industries, as the vulnerability affects a wide range of applications. The consequences of a successful attack range from data breaches and financial loss to complete system control by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUse a tool like Dylib Hijack Scanner to identify vulnerable applications in your environment and prioritize patching or removal.\u003c/li\u003e\n\u003cli\u003eMonitor for the creation of new dylibs within application framework directories, which may indicate a dylib hijacking attempt, using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Dylib Hijacking via DYLD_PRINT_RPATHS\u003c/code\u003e to detect attempts to identify vulnerable dylibs.\u003c/li\u003e\n\u003cli\u003eEnable library validation for applications to prevent the loading of unsigned or improperly signed dylibs.\u003c/li\u003e\n\u003cli\u003eUse process monitoring tools like Objective-See\u0026rsquo;s ProcInfo to detect suspicious process creation events that may be indicative of exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-macos-dylib-hijacking/","summary":"A local privilege escalation vulnerability in macOS allows attackers to gain root privileges by hijacking dylibs in applications installed from the Mac App Store.","title":"macOS Local Privilege Escalation via Dylib Hijacking in App Store Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-dylib-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Dylib-Hijacking","version":"https://jsonfeed.org/version/1.1"}