Ex-NSA researcher says that Apple’s insecure app-downloads enable Windows-style ‘dylib’ exploits
Tue 17 Mar 2015
A former NSA and NASA security researcher claims to have identified techniques which enable the same kind of shared-library exploits in Apple’s OSX operating system that have plagued the Windows OS for over 15 years. Speaking to Threatpost at the CanSecWest conference in Vancouver, Patrick Wardle, who is the director of research for Security-as-a-Service provider Synack, contends that OSX’s ‘dylib’ libraries can be substituted for malicious versions, providing the same exploit functionality as the DLL (Dynamic Linked Library) has been providing to Windows’ hackers for many years.
“DLL hijacking has haunted Windows for a while” said Wardle. “it’s been abused by malware by a number of malicious adversaries. It’s a fairly widespread attack…I wondered if it was similar on OS X and I found an attack similar to that. Under the hood, there are technical differences, but it provides the same capabilities. Given you have a vulnerable app on OS X, you can abuse it the same way it’s abused on Windows,”
Dynamic libraries are shared components provided deep within the operating system as a common resource for programmers to utilise. In Mac OSX the extension for such files is .dylib (Dynamic Library), and in Windows .DLL (Dynamic Linked Library). One of the most common examples of a shared library is one which provides graphical or video driver functionality, a facility which may find a shared library in use by a messaging application, a video component of a non-videocentric application, or even a GUI customisation. Shared libraries cannot be executed as standalone applications in either platform, but are instead loaded at application runtime, at which point they share scope with the host application.
Wardle has developed a process where malicious OSX dylib files can bypass OSX’s otherwise quite ‘draconian’ Gatekeeper software, which checks the validity of developer certificates against hashes stored and verified by the Apple App Store. GateKeeper’s page at Apple promises “The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven’t been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed,”
Discussing the exploit, which he will demonstrate on the 19th at CanSecWest, Wardle told Forbes:
“When the injected legitimate application is launched the unsigned malicious dylib is loaded or executed (even if the user sets his machine to accept ‘only all apps from the Mac App Store’) before the app’s main code. At this point the dylib can do anything. I see it a) kicking off the legitimate application that the user was downloading so nothing seems amiss, and b) installing the implant component which will then complete the rest of the attack, persistently infecting the user’s computer.”
It’s not a point-and-click exploit – the attacker will need to get on the same network as the target Mac, either through a breach or by sharing the same public Wi-Fi access point, and then inject a vulnerable but legitimate application and make some purely cosmetic changes to the appearance of the .dmg (virtual installer disk) file when mounted.
Wardle created a Python routine to check for susceptible applications on his own OSX-based machine, and found about 150 exploitable vectors, including Dropbox, Apple’s iCloud and Microsoft Word and Excel – all of which employ system-trusted shared libraries.
Apple’s Xcode vulnerable to dylib attack vector
Interestingly, OSX’s developer environment Xcode is one of the vulnerable applications identified. Xcode was identified by ex-NSA whistleblower Edward Snowden last week as a high-priority hacking target for the NSA, since it is an application that creates other applications; but since Xcode’s provenance is so hard to interfere with, the possibility of hacking it puzzled many commenters when the news emerged last week.
Once running, the infected dylib components are completely resistant to attack or detection by the currently available anti-virus or anti-malware products available, since they are ‘pre-approved’ processes.
Insecure app downloads
Since Gatekeeper has such a formidable reputation, software downloads via the Apple App Store are sent without encryption. Forbes took this observation to a number of OSX security vendors; F-Secure promised to ‘correct the situation’, stating that if it is not possible to ‘force’ https downloads, that they would at least ensure that such downloads are ‘linked that way’.
Apparently unwilling to address Wardle’s bypass of Gatekeeper’s Developer ID check, Avast responded that https was ‘not required’: “HTTPS gives you principally two benefits over HTTP, the one being encrypted communication and the other peer verification. When downloading the DMG, there is nothing that makes sense to encrypt; there is no private information involved. And the peer verification is not necessary,”
Wardle countered that his exploit does not alter the original downloaded application, but is merely using a loophole in the installation procedure to ‘stow away’ rogue dylib files. “no application signatures are broken,” he said. “which is why the attack succeeds,”. Wardle notes, however, that proprietary (Apple-created) OSX apps, which are available via Apple’s Mac App Store, are not susceptible to his injection technique.
Wardle will reveal a new app later in the week which can search for and identify malicious dylibs, and verify if the user has an attack history.