Lucene search

K
threatpostLisa VaasTHREATPOST:2B3917ECB87C4A3C315132D8E32C1073
HistoryJan 11, 2022 - 8:35 p.m.

MacOS Bug Could Let Creeps Snoop On You

2022-01-1120:35:47
Lisa Vaas
threatpost.com
156
macos
bug
powerdir
unauthorized access
tcc
privacy settings
vulnerability
security updates
microsoft research
microphone access
screenshot capture

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.006

Percentile

78.3%

Microsoft on Monday released details about a bug in macOS that Apple fixed last month – named “powerdir” – that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever’s displayed on your screen.

The vulnerability allows malicious apps to bypass privacy preferences. Specifically, it could allow an attacker to bypass the operating system’s Transparency, Consent and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data, the Microsoft 365 Defender Research Team said in its advisory.

Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps’ privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device’s camera, microphone or location.

Apple released a fix for the vulnerability – identified as CVE-2021-30970 – in macOS Big Sur and macOS Monterey, as part of its Dec. 13, 2021 security updates. At the time, as is typical, Apple didn’t give much detail, merely stating that the flaw was a logic issue that could allow a malicious to bypass privacy preferences: A flaw that it addressed with improved state management.

The Bug Trips Up TCC

TCC stores the consent history of app requests. The feature prevents unauthorized code execution by restricting full disk access to only those apps with appropriate privileges – at least, that’s the way it’s supposed to work.

But Microsoft researchers discovered that it’s possible to programmatically change a target user’s home directory and to plant a fake TCC database.

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” they explained in Monday’s advisory. “For example, the attacker could hijack an app installed on the device – or install their own malicious app – and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”

Typically, users manage TCC under System Preferences in macOS (System Preferences > Security & Privacy > Privacy).

The macOS Security & Privacy pane that serves as the front end of TCC. Source: Microsoft.

As Microsoft explained, when an app requests access to protected user data, one of two things can happen:

  1. If the app and the type of request have a record in the TCC databases, then a flag in the database entry dictates whether to allow or deny the request — automatically and without any user interaction.
  2. If the app and the type of request do not have a record in the TCC databases, then a prompt is presented to the user, who decides whether to grant or deny access. The said decision is backed into the databases so that succeeding similar requests will now fall under the first scenario.

If an attacker gets full disk access to the TCC databases, Microsoft explained that the world’s then their app oyster: “They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”

Prior TCC Trespasses

This isn’t the first time that TCC databases have shown themselves to be susceptible to bypass. Microsoft listed this trio of past vulnerabilities:

  • Time Machine mounts (CVE-2020-9771): macOS offers a built-in backup and restore solution called Time Machine. It was discovered that Time Machine backups could be mounted (using the apfs_mount utility) with the “noowners” flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device’s TCC policy without having full disk access.
  • Environment variable poisoning (CVE-2020-9934): It was discovered that the user’s tccd could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable (as introduced to tccd by launchd), an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead.
  • Bundle-conclusion issue (CVE-2021-30713): First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, suppose an attacker knows of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app’s bundle and “inherit” its TCC capabilities.

Apple has responded to those vulnerabilities with two changes: It protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution, and it enforced a TCC policy that only apps with full disk access can access the TCC.db files.

“Note, though, that this policy was also subsequently abused as some apps required such access to function properly (for example, the SSH daemon, sshd),” Microsoft researchers noted.

Apple has since patched these vulnerabilities, but Microsoft said that its research shows that “the potential bypass to TCC.db can still occur.”

Microsoft’s very predictable, inarguable advice: “We encourage macOS users to apply these security updates as soon as possible.”

Image courtesy of Pixabay.

PasswordReset:On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken.Register & Stream this FREE session today – sponsored by Specops Software.

References

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.2

Confidence

High

EPSS

0.006

Percentile

78.3%