{"id":29428,"date":"2020-07-03T16:43:09","date_gmt":"2020-07-03T20:43:09","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=29428"},"modified":"2021-07-06T17:00:26","modified_gmt":"2021-07-06T21:00:26","slug":"mount_apfs-tcc-bypass-and-privilege-escalation","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/07\/03\/mount_apfs-tcc-bypass-and-privilege-escalation\/","title":{"rendered":"mount_apfs TCC Bypass and Privilege Escalation"},"content":{"rendered":"<p><a href=\"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/\">Csaba Fitzl<\/a> (<a href=\"https:\/\/twitter.com\/theevilbit\/status\/1278931804876087297\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/\"><p>We could mount the entire file system through APFS snapshots as read-only, with the <code>noowners<\/code> flag, which enables us accessing (almost) every file in the file system, including data (documents, files, etc&#8230;) of every user on the system, including those protected by Apple&rsquo;s privacy framework (TCC). Even with the Guest account we could read files of admin accounts as Guest! &#x1F631;<\/p>\n<p>[&#8230;]<\/p>\n<p>At the beginning of March 2020, Apple said that the fix is shipped in Catalina 10.15.4 beta, they didn&rsquo;t tell a word how they fixed it. I quickly jumped on it, and I found that the trick still works. I was puzzled. After some testing it turned out that they tied this to the Full Disk Access (FDA) right in TCC (<code>kTCCServiceSystemPolicyAllFiles<\/code>), which I found wrong.<\/p>\n<\/blockquote>\n<p>As he explains:<\/p>\n<blockquote cite=\"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/\">\n<p>This still violates the basic BSD security model, as you can read other user&rsquo;s file, without elevating to root. [&#8230;] Even if SIP is ON and Terminal has Full Disk Access, you can&rsquo;t see other user&rsquo;s files with it - with this vulnerability you can.<\/p>\n<\/blockquote>\n<p>But Apple still considers it to be fixed.<\/p>\n\n<p><a href=\"https:\/\/twitter.com\/thomasareed\/status\/1279053979746435072\">Thomas Reed<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/thomasareed\/status\/1279053979746435072\"><p>Absolutely ridiculous fix, I agree. Gating the fix behind a gate that most people will have open is bad. Of course, FDA for Terminal is just bad in general, yet there&rsquo;s no good way for technical users to NOT give FDA to Terminal. &#x1F61E;<\/p>\n<p>It&rsquo;s like Apple has designed TCC in such a way that you have to make an insecure config change to get real work done, but they can say, &ldquo;Well, you would have been safe if you hadn&rsquo;t made an insecure config change.&rdquo; &#x1F612;<\/p>\n<\/blockquote>\n\n<p>And there are lots of other apps that needs Full Disk Access, for <a href=\"https:\/\/mjtsai.com\/blog\/2020\/06\/22\/customshortcuts-1-0\/\">one reason<\/a> or another, but they shouldn&rsquo;t be given access to other users&rsquo; files.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/07\/02\/safari-privacy-protections-bypass\/\">Safari Privacy Protections Bypass<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Csaba Fitzl (tweet): We could mount the entire file system through APFS snapshots as read-only, with the noowners flag, which enables us accessing (almost) every file in the file system, including data (documents, files, etc&#8230;) of every user on the system, including those protected by Apple&rsquo;s privacy framework (TCC). Even with the Guest account we [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2020-07-03T20:43:15Z","apple_news_api_id":"edf14b1e-52df-483b-83d6-08fd68188aa5","apple_news_api_modified_at":"2021-07-06T21:00:30Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/A7fFLHlLfSDuD1gj9aBiKpQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1395,131,2095,30,1609,1666,355,48,318,1960],"class_list":["post-29428","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-file-system-apfs","tag-bug","tag-exploit","tag-mac","tag-macos-10-14","tag-macos-10-15","tag-privacy","tag-security","tag-terminal","tag-transparency-consent-and-control-tcc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=29428"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29428\/revisions"}],"predecessor-version":[{"id":29429,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/29428\/revisions\/29429"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=29428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=29428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=29428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}