Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
For further detail about the technique check the original post from: https://blog.xpnsec.com/dirtynib/**. Here is a summary:
NIB files, part of Apple's development ecosystem, are intended for defining UI elements and their interactions in applications. They encompass serialized objects such as windows and buttons, and are loaded at runtime. Despite their ongoing usage, Apple now advocates for Storyboards for more comprehensive UI flow visualization.
It's critical to note that NIB files can be a security risk. They have the potential to execute arbitrary commands, and alterations to NIB files within an app don't hinder Gatekeeper from executing the app, posing a significant threat.
-
Initial Setup:
- Create a new NIB file using XCode.
- Add an Object to the interface, setting its class to
NSAppleScript
. - Configure the initial
source
property via User Defined Runtime Attributes.
-
Code Execution Gadget:
- The setup facilitates running AppleScript on demand.
- Integrate a button to activate the
Apple Script
object, specifically triggering theexecuteAndReturnError:
selector.
-
Testing:
- A simple Apple Script for testing purposes:
set theDialogText to "PWND" display dialog theDialogText
- Test by running in the XCode debugger and clicking the button.
- A simple Apple Script for testing purposes:
-
Preparation:
- Copy the target app (e.g., Pages) into a separate directory (e.g.,
/tmp/
). - Initiate the app to sidestep Gatekeeper issues and cache it.
- Copy the target app (e.g., Pages) into a separate directory (e.g.,
-
Overwriting NIB File:
- Replace an existing NIB file (e.g., About Panel NIB) with the crafted DirtyNIB file.
-
Execution:
- Trigger the execution by interacting with the app (e.g., selecting the
About
menu item).
- Trigger the execution by interacting with the app (e.g., selecting the
- Modify the AppleScript to access and extract user data, such as photos, without user consent.
- Access and review a sample of a malicious .xib file that demonstrates executing arbitrary code.
- Launch Constraints hinder app execution from unexpected locations (e.g.,
/tmp
). - It's possible to identify apps not protected by Launch Constraints and target them for NIB file injection.
From macOS Sonoma onwards, modifications inside App bundles are restricted. However, earlier methods involved:
- Copying the app to a different location (e.g.,
/tmp/
). - Renaming directories within the app bundle to bypass initial protections.
- After running the app to register with Gatekeeper, modifying the app bundle (e.g., replacing MainMenu.nib with Dirty.nib).
- Renaming directories back and rerunning the app to execute the injected NIB file.
Note: Recent macOS updates have mitigated this exploit by preventing file modifications within app bundles post Gatekeeper caching, rendering the exploit ineffective.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.