CVE-2022-25366: Cryptomator 1.6.5 Dylib Injection - AppleBois - Medium

This module we will learn about Dylib Injection for Cryptomator 1.6.5 in MacOS Application.

First we will just run a codesign on the Cryptomator app, we can see that it’s has the flag of 0x1000 runtime hardened flag. But, there are interesting entitlement that was set to TRUE. For Dylib Injection, we are interested in Disable Library Validation and Allow Dylib Environment Variable.

Codesign output

If you are un-familiar with Dylib Injection, I will include several references for the reading.

When we see the entitlement of “com.apple.security.cs.disable-library-validation” we will know that this allow Dylib Injection, but due to the nature of the application, it will load specific third parties dylib. Which mean we can look for Dylib Proxying or Dylib Hijacking. However, I did not managed to find path for Dylib Proxying or Hijacking.

Replied from them

But, since we have another entitlement called “com.apple.security.cs.allow-dyld-environment-variables” we can specify the ENV variable (DYLD_INSERT_LIBRARIES) to the path of our malicious dylib.

Below screenshot is the Source Code of the malicious Dylib

Source code of the malicious Dylib written in Objective C

Specify the Environment Variable and trigger te Cryptomator Application.

On the terminal we will able to see [+]dylib constructor called from /Applications/Cryptmator.app/Contents/MacOS/Cryptomator.

Dylib Injection is success

The impact will be it will turn into a code injection, method swizzling, interposting.

The fix should be remove low hanging fruits. Remove the entitlement “com.apple.security.cs.allow-dyld-environment-variables”

Reference:
https://wojciechregula.blog/post/dangerous-get-task-allow-entitlement/
https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/
https://cryptomator.org/