dylib hijacking – the story develops

This is a follow-up to my previous article about DLL hacking and OS X here.

Patrick Wardle of Synack has now published his paper detailing the equivalent of ‘DLL hijacking’ on OS X, which he has dubbed ‘dylib hijacking’, here.

In the immediate term, perhaps the most important practical issue that he raises concerns the potential vulnerability in Gatekeeper which might permit this type of attack. He suggests two scenarios which could be used. The first is to “coerce the user into downloading and installing the malicious content manually”, which could be achieved by providing bogus plug-ins, fake updates or patches, or even infected torrents. The guard against those is the same as that against any trojan-style attack: great care and constant vigilance.

The second scenario is a ‘man in the middle’ attack when downloading legitimate software. Wardle points out that, whilst many products are now obtained and updated using secure connections (which should, so long as they remain secure, protect), any software which is distributed over straight HTTP connections remains vulnerable to such an attack.

He points out that Gatekeeper only verifies internal app and code content at present. If a signed app contains a relative external reference to a hijackable dynamic library (dylib), then an attacker can create a Disk Image (.dmg) or Zip archive (.zip) with the right folder structure to contain a malicious dylib, which could then be loaded by the legitimate app without any check being made by Gatekeeper. Thus the real app could inadvertently trigger the hijack, even though Gatekeeper might be set to only allow apps from the App Store.

Unfortunately the list of apps which could be tricked into doing this is long, and contains many tools of everyday work and Mac usage. To help users gain insight into which apps are running which could be vulnerable to such a dylib hijack, he has made a free scanner available here.

Wardle advises users not to download any software via insecure channels, particularly HTTP (non-secure web), until Apple has fixed this vulnerability in Gatekeeper.

As with all security matters, this is a issue of risk. Clearly, now that this attack vector is known, there will be attempts to use it. So the risk of acquiring something very nasty if you download apps via non-secure connections like HTTP has just risen very considerably. You have to make your own informed choice – at least until Apple patches Gatekeeper to fix this.