Apple’s OS X operating system has multiple layers of security to protect users against potentially malicious applications, but according to Patrick Wardle, director of research at Synack, Dynamic Link Libraries (DLL) hijacking can be used to bypass those protections, potentially putting users at risk.
Wardle is set to formally detail his research at a presentation at the CanSecWest security conference in Vancouver, British Columbia, on March 18. Apple did not respond to a request for comment from eWEEK about Wardle’s research.
“I submitted the initial bug to Apple via their suggested bug reporting channel, https://bugreport.apple.com, on Jan. 15, 2015,” Wardle told eWEEK. “In this report, I also informed them I’d be speaking about this at CanSecWest.”
Wardle said he didn’t get an initial response back from Apple, so he resubmitted his findings on Feb. 7 and got an automated response on Feb. 9 acknowledging the submission. On Feb. 10, Wardle emailed Apple back, thanking the company for its automated response and to reiterate that he would be talking about the DLL hijacking issue at the CanSecWest conference. On Feb. 13, Apple emailed Wardle back thanking him for his previous email. Wardle noted that the Feb. 13 email was the first time he received a non-automated response from Apple.
“They [Apple] also emailed me at the end of February, stating they would be willing to provide feedback on my slides,” Wardle said. “At no point did they ask for more technical details or provide any indication that they would be patching/fixing this issue.”
The actual DLL hijacking vulnerability is an attack vector that has been used against Microsoft Windows operating systems since 2010.
“It turns out that there is a DLL highjacking attack that works against OS X that allows an attacker to exploit vulnerable applications and inject malicious libraries into target processes, bypassing personal security products and even Gatekeeper,” Wardle said.
Gatekeeper is the built-in anti-malware technology that Apple has integrated into OS X since the 10.7.5 Mountain Lion release in 2012. Wardle explained that for DLL hijacking to work against OS X, all it takes is for an attacker to place a malicious DLL in a specific location on a system. He added that the attack is very stealthy and is able to abuse legitimate functionality in the operating system, making it difficult to patch against.
To test how many vulnerable applications are in the market, Wardle wrote a Python script, which he plans on releasing after his talk, and found over 150 binaries that are vulnerable to the DLL hijacking attack.
“The applications are not actually doing anything wrong. The dynamic loader will look in multiple locations for DLLs,” he said. “So if the legitimate library that the application is looking for is in a secondary location, an attacker can place a malicious DLL, with the same name, in the primary location path.”
Wardle explained that the dynamic loader will naively load the malicious DLL that is found in the primary application path, thinking that it is the real DLL. He added that the DLL hijacking exploit can be enabled to be persistent on an OS X system, starting up whenever the user boots the system.
Apple OS X at Risk From DLL Hijacking Exploit
One potential attack scenario, which Wardle referred to as load time process injection, is all about getting malicious code into a tahirget process. As part of his research, Wardle targeted Apple’s Xcode Integrated Developer Environment (IDE).
“I thought it would be a cool idea for malware to infect binaries as the developer is compiling them, as kind of an autonomous malware propagation vector,” he said.
As it turns out, Wardle isn’t the only one who had the idea of using Xcode as a way to infect OS X. A report based on files from U.S. National Security Agency (NSA) whistleblower Edward Snowden claims the spy agency was attempting something similar. Coincidentally, Wardle is also a former NSA employee.
Wardle said he was unable to comment on his activities while working for the NSA, though he emphasized that his OS X DLL hijacking research is all new and wasn’t the result of initiatives he was involved with while working at the NSA.
There is also the possibility of leveraging DLL highjacking by way of a remote attack. The Apple OS X Gatekeeper checks to make sure that content has been signed by a valid developer and can also be configured to allow only applications downloaded from the Apple App Store for Mac to run.
One of the reasons Wardle was able to infect code was due to the fact that some software is downloaded over HTTP and not the more secure HTTPS.
“It means a sophisticated adversary could intercept the download requests and then using the Gatekeeper bypass could inject malicious code,” Wardle said. “The user when installing the software would then unknowingly infect themselves.”
Going a step further, Wardle said he tested his attack against every Mac security product he could find. The result? Not a single one was able to detect the attack.
“To me, that shows the state of security products on Mac, and it shows that an adversary can trivially bypass any of them,” he said.
Wardle has a few ideas as to how Apple can fix the DLL hijacking issue.
“Apple could change the dynamic loader such that when a signed application is loaded, it will only load DLLs that are signed by the same company or developer,” Wardle said. “For users, there is no reason why companies should have software downloads over HTTP, as they are trivially easy to intercept.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.