library validation error in Safari in 10.12.4( Safari 10.1)

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

library validation error in Safari in 10.12.4( Safari 10.1)

Postby mmurali » Thu Jun 01, 2017 8:03 am

Hi,

when trying to load a library in Safari, we are getting the following error. This was working in previous versions( 10.12.3 and before) and observing the issue in 10.12.4 only.
I did try to sign the library using an apple developer ID, but still I observe the same issue.

default 04:53:53.109042 -0700 apsd : Stream processing: complete no, invalid no, length parsed 0, parameters (null) error 04:53:52.801701 -0700 kernel Library Validation failed: Rejecting '*************.dylib' (Team ID: none, platform: no) for process 'Safari(694)' (Team ID: none, platform: yes),* reason: mapped file has no cdhash (unsigned or signature broken?)*

Could you please let me know if there is any specific code signing requirement for Safari.

Any help is appreciated.
Thanks,
Murali
Last edited by mmurali on Tue Jun 20, 2017 6:31 am, edited 1 time in total.
mmurali
 
Posts: 2
Joined: Thu Jun 01, 2017 7:53 am

Re: library validation error in Safari in 10.12.4( Safari 10

Postby morpheus » Thu Jun 01, 2017 1:57 pm

It's no so much Safari, but the general restriction that AAPL is now enforcing. It's called "library validation" and is enforced by AMFI (used to be configurable by sysctl vm.cs_library_validation).

Because Safari is a platform application (as you can verify with jtool --sig) AMFI rejects unsigned binaries into it. Note the error message - it clearly states you're trying to insert an unsigned dylib in the error message. Even if you use a signed one, it would have to also be marked as a platform binary (unless SIP is disabled, in which case it should work).
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: library validation error in Safari in 10.12.4( Safari 10

Postby septium » Fri Jun 02, 2017 10:13 am

J, would your shellcode injection technique from inject/corerupt work for Safari in 10.12.4+ with SIP and vm.cs_library_validation enabled?
septium
 
Posts: 25
Joined: Thu May 04, 2017 10:04 am

Re: library validation error in Safari in 10.12.4( Safari 10

Postby mmurali » Tue Jun 20, 2017 6:30 am

I made some progress after some investigation. For me the error given in the first post is coming because of older SDK version I am using. Even though I signed the library, some code signing version change in 10.9 and above causing the issue. So I upgraded my mac OS SDK to 10.9 and tried but this time got a different error.

Library Validation failed: Rejecting '************.dylib' (Team ID: xxxxxxx, platform: no) for process 'Safari(1093)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not.

As the above error suggests, my library is not a platform binary(not a platform binary means my assumption is that it is not an apple signed binary). And this I am trying to load into Safari which is a platform binary( Signed by Apple).

Currently struck there.
mmurali
 
Posts: 2
Joined: Thu Jun 01, 2017 7:53 am

Re: library validation error in Safari in 10.12.4( Safari 10

Postby morpheus » Wed Jun 21, 2017 1:00 am

Per earlier answer, this is where you "ought to be" stuck, because the whole point of Library validation is to prevent these types of injection. Even with a code signature, you need one that matches Safari's requirements. What you COULD do is strip Safari's code signature altogether (though that would also take unrestricting from SIP).

This also defeats the inject.c example I posted, but that can thankfully be worked around.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests