Microsoft on Monday released details about a bug in macOS that Apple fixed last month – named “powerdir” – that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever’s displayed on your screen.
The vulnerability allows malicious apps to bypass Privacy preferences. Specifically, it could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data, the Microsoft 365 Defender Research Team said in its advisory.
Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps’ privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device’s camera, microphone or location.
Apple released a fix for the vulnerability – identified as CVE-2021-30970 – in macOS Big Sur and macOS Monterey, as part of its Dec. 13, 2021 security updates. At the time, as is typical, Apple didn’t give much detail, merely stating that the flaw was a logic issue that could allow a malicious to bypass Privacy preferences: a flaw that it addressed with improved state management.
The Bug Trips Up TCC
TCC stores the consent history of app requests. The feature prevents unauthorized code execution by restricting full disk access to only those apps with full disk access – at least, that’s the way it’s supposed to work.
But Microsoft researchers discovered that it’s possible to programmatically change a target user’s home directory and to plant a fake TCC database, which stores the consent history of app requests.
“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” they explained in Monday’s advisory. “For example, the attacker could hijack an app installed on the device – or install their own malicious app – and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”
Typically, users manage TCC under System Preferences in macOS (System Preferences > Security & Privacy > Privacy).
The macOS Security & Privacy pane that serves as the front end of TCC. Source: Microsoft.
As Microsoft explained, when an app requests access to protected user data, one of two things can happen:
If an attacker gets full disk access to the TCC databases, Microsoft explained that the world’s then their app oyster: “They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”
Prior TCC Trespasses
This isn’t the first time that TCC databases have shown themselves to be susceptible to bypass. Microsoft listed this trio of past vulnerabilities:
Apple has responded to those vulnerabilities with two changes: It protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution, and it enforced a TCC policy that only apps with full disk access can access the TCC.db files.
“Note, though, that this policy was also subsequently abused as some apps required such access to function properly (for example, the SSH daemon, sshd),” Microsoft researchers noted.
Apple has since patched these vulnerabilities, but Microsoft said that its research shows that “the potential bypass to TCC.db can still occur.”
Microsoft’s very predictable, inarguable advice: “We encourage macOS users to apply these security updates as soon as possible.”
Image courtesy of Pixabay.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.