Microsoft on Monday released details about a bug in macOS that Apple fixed last month – named “powerdir” – that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever’s displayed on your screen.
The vulnerability allows malicious apps to bypass privacy preferences. Specifically, it could allow an attacker to bypass the operating system’s Transparency, Consent and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data, the Microsoft 365 Defender Research Team said in its advisory.
Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps’ privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device’s camera, microphone or location.
Apple released a fix for the vulnerability – identified as CVE-2021-30970 – in macOS Big Sur and macOS Monterey, as part of its Dec. 13, 2021 security updates. At the time, as is typical, Apple didn’t give much detail, merely stating that the flaw was a logic issue that could allow a malicious to bypass privacy preferences: A flaw that it addressed with improved state management.
The Bug Trips Up TCC
TCC stores the consent history of app requests. The feature prevents unauthorized code execution by restricting full disk access to only those apps with appropriate privileges – at least, that’s the way it’s supposed to work.
But Microsoft researchers discovered that it’s possible to programmatically change a target user’s home directory and to plant a fake TCC database.
“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” they explained in Monday’s advisory. “For example, the attacker could hijack an app installed on the device – or install their own malicious app – and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”
Typically, users manage TCC under System Preferences in macOS (System Preferences > Security & Privacy > Privacy).
The macOS Security & Privacy pane that serves as the front end of TCC. Source: Microsoft.
As Microsoft explained, when an app requests access to protected user data, one of two things can happen:
- If the app and the type of request have a record in the TCC databases, then a flag in the database entry dictates whether to allow or deny the request — automatically and without any user interaction.
- If the app and the type of request do not have a record in the TCC databases, then a prompt is presented to the user, who decides whether to grant or deny access. The said decision is backed into the databases so that succeeding similar requests will now fall under the first scenario.
If an attacker gets full disk access to the TCC databases, Microsoft explained that the world’s then their app oyster: “They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”
Prior TCC Trespasses
This isn’t the first time that TCC databases have shown themselves to be susceptible to bypass. Microsoft listed this trio of past vulnerabilities:
- Time Machine mounts (CVE-2020-9771): macOS offers a built-in backup and restore solution called Time Machine. It was discovered that Time Machine backups could be mounted (using the apfs_mount utility) with the “noowners” flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device’s TCC policy without having full disk access.
- Environment variable poisoning (CVE-2020-9934): It was discovered that the user’s tccd could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable (as introduced to tccd by launchd), an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead.
- Bundle-conclusion issue (CVE-2021-30713): First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, suppose an attacker knows of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app’s bundle and “inherit” its TCC capabilities.
Apple has responded to those vulnerabilities with two changes: It protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution, and it enforced a TCC policy that only apps with full disk access can access the TCC.db files.
“Note, though, that this policy was also subsequently abused as some apps required such access to function properly (for example, the SSH daemon, sshd),” Microsoft researchers noted.
Apple has since patched these vulnerabilities, but Microsoft said that its research shows that “the potential bypass to TCC.db can still occur.”
Microsoft’s very predictable, inarguable advice: “We encourage macOS users to apply these security updates as soon as possible.”
Image courtesy of Pixabay.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.
