[MacOS] DYLIB Injection through "DYLD_INSERT_LIBRARIES" env variable

[Zeyad-Azima]

Intrroduction

Sysdig is vulnerable to DYLIB Injection through the DYLD_INSERT_LIBRARIES environment variable. When running the sysdig tool it loads the libraries in the DYLD_INSERT_LIBRARIES environment variable automatically and without verifying the signature if it's the same as the tool or no. Which lead to Inject a malicious DYLIB by the tool and act on the behave of it.

Steps to Reproduce

• When running sysdig normally it will run as should, But if we created a DYLIB and indicat to it using the DYLD_INSERT_LIBRARIES environment variable it will load it without any verifying automatically.

Test DYLIB Code

#import <Foundation/Foundation.h>
__attribute__((constructor))
static void testing(int argc, const char **argv) {
NSLog(@"[+] Dynamic library loaded into %s", argv[0]);
}

Compile the code using gcc normally:

gcc -framework Foundation -dynamiclib code.m -o test.dylib

Cc: @mhzcyber

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.