1646125 - Code injection in Firefox macOS Desktop Client

Status: RESOLVED DUPLICATE of bug 1606778

(Core :: Widget: Cocoa, task)

Description

[s5s]

Attachment: test.c

How was this issue discovered:
A blog remind me this issue https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/.
This is a common security problem for all Mac apps, I've tested this for most mainly mac browsers like Chrome, Safari, Firefox, Microsoft Edge, Opera, and found that Firefox is vulnerable.

Firefox version && System version:
Firefox (77.0.1 64-bit)
macOS 10.15.4

Summary:
Any malicious application, running with standard user permissions is able to exploit this vulnerability and execute code in your firefox's progress context.

Steps to reproduce:

1. Compile the uploaded code,
   gcc -dynamiclib test.c -o inject.dylib
2. Run command in shell,
   DYLD_INSERT_LIBRARIES=inject.dylib /Applications/Firefox.app/Contents/MacOS/firefox
3. Firefox will be start and the code in test.c will be ran in firefox progress space.

Recommendations:
Assuming that the desktop client has been compiled using XCode, a developer needs to turn on "Hardened Runtime" capability making sure that Allow DYLD Environment Variables option is turned off. Another way to disallow the DYLD Environement variables is adding a _RESTRICTED segment to the application binary.

Impact
Code execution in the application's context. Any sensitive resource that may be accessed via the application may be stolen. Attacker is also able to perform any action that user may perform from the firefox.