Friday, July 3, 2020

mount_apfs TCC Bypass and Privilege Escalation

Csaba Fitzl (tweet):

We could mount the entire file system through APFS snapshots as read-only, with the noowners flag, which enables us accessing (almost) every file in the file system, including data (documents, files, etc…) of every user on the system, including those protected by Apple’s privacy framework (TCC). Even with the Guest account we could read files of admin accounts as Guest! 😱


At the beginning of March 2020, Apple said that the fix is shipped in Catalina 10.15.4 beta, they didn’t tell a word how they fixed it. I quickly jumped on it, and I found that the trick still works. I was puzzled. After some testing it turned out that they tied this to the Full Disk Access (FDA) right in TCC (kTCCServiceSystemPolicyAllFiles), which I found wrong.

As he explains:

This still violates the basic BSD security model, as you can read other user’s file, without elevating to root. […] Even if SIP is ON and Terminal has Full Disk Access, you can’t see other user’s files with it - with this vulnerability you can.

But Apple still considers it to be fixed.

Thomas Reed:

Absolutely ridiculous fix, I agree. Gating the fix behind a gate that most people will have open is bad. Of course, FDA for Terminal is just bad in general, yet there’s no good way for technical users to NOT give FDA to Terminal. 😞

It’s like Apple has designed TCC in such a way that you have to make an insecure config change to get real work done, but they can say, “Well, you would have been safe if you hadn’t made an insecure config change.” 😒

And there are lots of other apps that needs Full Disk Access, for one reason or another, but they shouldn’t be given access to other users’ files.


Comments RSS · Twitter

Leave a Comment