As you may know, DLL hijacking it’s something that its around since around 2000 and allows hackers to exploit a machine with a vulnerable application ( just one of the possibilities of DLL hijacking).
What is DLL Hijacking?
It is an hacking technique that exploits the way certain OS applications search and load DLLs that they use. An attacker can place a DLL for a known program in a location that is searched by the applications before the legitimate DLL’s location and ensure that the malicious DLL is loaded, resulting in remote code execution.
Until now apple’s users weren’t facing this problem, but that ended because the DLL hijacking just arrived in Mac OS X.
At CanSecWest, Synack director of research Patrick Wardle will participate in a talk where its expected for him to explain some of the attacks.
Patrick Wardle provided some tips regarding the possibility of tool that scan apps that are vulnerable to his attack.
Using his own machine Wardle run a Python script where he discovered 144 binaries vulnerable to hijacking attacks, some of them being Microsoft Word, Excel, and PowerPoint.
He also exploits the application gatekeeper since it’s not signed from Apple App Store, being gatekeeper able to load malicious files remotely
The researcher was also able to remotely bypass Apple’s Gatekeeper security software implemented by Apple to control the software can be downloaded onto an Apple systems and to implement antimalware features.
Wardle explained that his code, dubbed dylib, would be implanted in a download that should be blocked by Gatekeeper because it is not signed from the Apple App Store. This is not a problem for Wardle that is able to allow Gatekeeper to load the malicious code remotely giving the control to the attacker.
“Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said.
“It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.”
One of his tested attacks and by his own words:
“My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code“ … “It’s an anonymous propagation vector.“
The main message to be passed by him is that this type of attacks “abuses legitimate functionality of OS X and it’s not patched”
Mac OS X users need to be careful, since these type of attacks are stealthy and can be very warmful.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – DLL hijacking, Mac OS X)