tclsh #

Created by Brendan Chamberlain (@infosecB)

Description ##

tclsh is a shell-like utility that runs Tcl from standard input or a file. tclsh holds the “com.apple.security.cs.disable-library-validation” entitlement and is capable of loading arbitary plug-ins, framework, and libraries without requiring signed code.

Paths ##

• /usr/bin/tclsh

Use Cases ##

Execute malicious dynamic library (.dylib) from standard input ##

An attacker can execute a malicious .dylib from stdin by echoing a load command and piping to tclsh. This will bypass code signing requirements.

echo "load bad.dylib" | tclsh

Detections ##

• Recommendations included in resource below. No formal detection content at this time.

Resources ##

• Dylib Loads that Tickle your Fancy

Acknowledgements ##

• Leo Pitt (@_D00mfist)