draios
[MacOS] DYLIB Injection through "DYLD_INSERT_LIBRARIES" env variable
Intrroduction
Sysdig is vulnerable to DYLIB Injection through the DYLD_INSERT_LIBRARIES environment variable. When running the sysdig tool it loads the libraries in the DYLD_INSERT_LIBRARIES environment variable automatically and without verifying the signature if it's the same as the tool or no. Which lead to Inject a malicious DYLIB by the tool and act on the behave of it.
Steps to Reproduce
- When running
sysdignormally it will run as should, But if we created aDYLIBand indicat to it using theDYLD_INSERT_LIBRARIESenvironment variable it will load it without any verifying automatically.
Test DYLIB Code
#import <Foundation/Foundation.h>
__attribute__((constructor))
static void testing(int argc, const char **argv) {
NSLog(@"[+] Dynamic library loaded into %s", argv[0]);
}
Compile the code using gcc normally:
gcc -framework Foundation -dynamiclib code.m -o test.dylib
Cc: @mhzcyber
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.