{"id":33118,"date":"2021-07-13T14:05:56","date_gmt":"2021-07-13T18:05:56","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33118"},"modified":"2021-07-13T14:06:10","modified_gmt":"2021-07-13T18:06:10","slug":"bypassing-tcc-by-changing-the-environment","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/07\/13\/bypassing-tcc-by-changing-the-environment\/","title":{"rendered":"Bypassing TCC By Changing the Environment"},"content":{"rendered":"

Matt Shockley<\/a> (tweet<\/a>, Medium<\/a>):<\/p>\n

\n

TCC stores these user-level entitlements in a SQLite3 database on disk at $HOME\/Library\/Application Support\/com.apple.TCC\/TCC.db<\/tt>. Apple uses a dedicated daemon, tccd<\/code>, for each logged-in user (and one system level daemon) to handle TCC requests. These daemons sit idle until they receive an access request from the OS for an application attempting to access protected data<\/p>\n

[…]<\/p>\n

Obviously being able to write directly to the database completely defeats the purpose of TCC, so Apple protects this database itself with TCC and System Integrity Protection (SIP). Even a program running as root cannot modify this database unless it has the com.apple.private.tcc.manager<\/code> and com.apple.rootless.storage.TCC<\/code> entitlements. However, the database is still technically owned and readable\/writeable by the currently running user, so as long as we can find a program with those entitlements, we can control the database.<\/p>\n

[…]<\/p>\n

Essentially, when the TCC daemon attempts to open the database, the program tries to directly open (or create if not already existing) the SQLite3 database at $HOME\/Library\/Application Support\/com.apple.TCC\/TCC.db<\/tt>. While this seems inconspicuous at first, it becomes more interesting when you realize that you can control the location that the TCC daemon reads and writes to if you can control what the $HOME<\/code> environment variable contains. […] Thus, I could set the $HOME<\/code> environment variable in launchctl<\/code> to point to a directory I control, restart the TCC daemon, and then directly modify the TCC database to give myself every TCC entitlement available without ever prompting the end user.<\/p><\/blockquote>\n\n

So SIP is still protecting the normal path, but the system relies on tccd<\/code>, which has been redirected to a different path. Apple fixed this 4.5 months later, in July 2020.<\/p>\n\n

Patrick Wardle<\/a>:<\/p>\n

\n

TCC continues to be a massive pain in the butt for legitimate software\/app developers.<\/p>\n

...but for hackers? Yah, not so much at all 😭😭😭😭😭<\/p>\n

For example (as a legitimate soft dev), how can my updater tell if my app was already granted certain TCC privileges (so I don’t have to re-prompt the user)?<\/p>\n

And why do I have to manually restart TCCd to avoid a myriad of (broken) caching issues?<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n