Stealthy, Persistent DLL Hijacking Works Against OS X

Researcher Patrick Wardle of Synack is expected this week at CanSecWest to unveil malicious dylib attacks against Apple’s Mac OS X.

DLL hijacking has plagued Windows machines back as far as 2000 and provides hackers with a quiet way to gain persistence on a vulnerable machine, or remotely exploit a vulnerable application.

And now it’s come to Apple’s Mac OS X.

This week at the CanSecWest conference in Vancouver, Synack director of research Patrick Wardle is expected to deliver a talk during which he’ll explain different attacks that abuse dylibs in OS X for many of the same outcomes as with Windows: persistence; process injection; security feature bypass (in this case, Apple Gatekeeper); and remote exploitation.

“DLL hijacking has haunted Windows for a while; it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack,” Wardle told Threatpost. “I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows.”

Wardle is also expected to release following his talk source code for a scanner that discovers apps that are vulnerable to his attack. Running his Python script against his own OS X machine, Wardle was able to find 144 binaries vulnerable to different flavors of his dylib hijacking attacks, including Apple’s Xcode, iMovie and Quicktime plugins, Microsoft Word, Excel, and PowerPoint, and third-party apps such as Java, Dropbox, GPG Tools and Adobe plugins.

“Windows is vulnerable to DLL hijacking, and now OS X is similarly vulnerable to dylib hijacking,” Wardle said.

With DLL and dylib attacks, the concept is essentially the same: an attacker must find a way to get a malicious library into a directory that is loaded by the operating system. Wardle explained one facet of his attack where he was able to find a vulnerable Apply binary in its Photostream Agent that automatically started with iCloud.

“It’s perfect for attacker persistence,” Wardle said. “You copy a specially crafted dylib into the directory PhotoStream looks for when the app starts, and the attacker’s dylib is loaded into the context of the process. It’s a stealthy way to gain persistence; you’re not creating any new processes, nor modifying any files. You’re planting a single dylib and you’re in.”

In another attack, Wardle said he was able to gain automatic and persistent code execution via a process injection against Xcode, Apple’s integrated developer environment.

“My malware infects Xcode and any time a developer deploys a new binary, it would also add the malicious code,” Wardle said. “It’s an anonymous propagation vector.”

Wardle was also able to remotely bypass Apple’s Gatekeeper security product that limits what software can be downloaded onto an Apple machine and from where, in addition to providing antimalware protection. His malicious dylib code, he said, would be implanted in a download that should be blocked by Gatekeeper because it’s not signed from the Apple App Store. Gatekeeper, however, will load the malicious file remotely giving the attacker code execution, Wardle said.

“Gatekeeper normally does a pretty good job of blocking these downloads, but now using this bypass, we can get users to infect themselves,” Wardle said.

Wardle is expected to demonstrate an attack that combines all of these components, including the Gatekeeper bypass that when executed uses the dylib hijacking to gain persistence, grabs users’ files and exfiltrates that data to iCloud, and can also sent remote commands to the vulnerable machine. Most worrisome, he said, is that his malware went undetected by most antivirus packages, and Apple barely acknowledged his bug reports starting in January other than an automated response, and a thank you and congratulations on his talk being accepted at CanSecWest.

“I think things are broken. This abuses legitimate functionality of OS X and it’s not patched,” Wardle said. “These attacks are powerful and stealthy, and do a lot of malicious things.”

Suggested articles

Discussion

  • Anastasia Lee on

    Sounds like the malware on my macbook.I've been fighting it since 2012.every file & process you describe is there, plus more. Universal access, printer proxies, time machine... RFID readers & Bluetooth audio, transport... Lemme know when you fix it. (Kidding)
  • Me on

    I've got one that enables guest user account, bypasses startup settings and boot modes, (shows users instead of name and password until after logging in with user credentials, then displays verbose mode startup, safe boot, etc.) modifies ARD Agent SUID, and creates a whole bunch of processes under kext and launchd, self-deletes logs, restricts permissions when viewing console logs, modifies partition maps, adds groups, and enables ports after manual disabling . Appears to be originating from an infected external drive, possibly Apple Time Capsule, because suspect processes and behaviors begin occurring despite connection via USB, Ethernet, or wifi.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.