Powerdir macOS TCC Vulnerability

Juli Clover (in January):

Microsoft’s 365 Defender Research Team this morning published details on a new “Powerdir” macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data.

Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update[…]

Jonathan Bar Or:

We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.

[…]

First, Apple protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution. Secondly, Apple enforced a TCC policy that only apps with full disk access can access the TCC.db files.

[…]

While the solution indeed prevents an attack by environment variable poisoning, it does not protect against the core issue. Thus, we set out to investigate: can an app programmatically change the user’s home directory and plant a fake TCC.db file?

Previously:

• macOS 12.1
• Sandbox Doesn’t Protect Files From stat()

Bug Mac macOS 11.0 Big Sur Privacy Security Transparency Consent and Control (TCC)

Comments RSS · Twitter

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ