{"id":33121,"date":"2021-07-13T14:06:31","date_gmt":"2021-07-13T18:06:31","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33121"},"modified":"2021-07-13T14:06:41","modified_gmt":"2021-07-13T18:06:41","slug":"overview-of-tcc-bypasses-by-accident-and-design","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/07\/13\/overview-of-tcc-bypasses-by-accident-and-design\/","title":{"rendered":"Overview of TCC Bypasses by Accident and Design"},"content":{"rendered":"<p><a href=\"https:\/\/labs.sentinelone.com\/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design\/\">Phil Stokes<\/a> (via <a href=\"https:\/\/news.ycombinator.com\/item?id=27731684\">Hacker News<\/a>):<\/p>\n<blockquote cite=\"https:\/\/labs.sentinelone.com\/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design\/\"><p>Full Disk Access means what it says: it can be set by one user with admin rights and it grants access to all users&rsquo; data system-wide. [&#8230;] When Alice grants FDA permission to the Terminal for herself, all users now have FDA permission via the Terminal as well. The upshot is that Alice isn&rsquo;t only granting herself the privilege to access others&rsquo; data, she&rsquo;s granting others the privilege to access <i>her data<\/i>, too.<\/p>\n<p>Surprisingly, Alice&rsquo;s (no doubt) unintended permissiveness also extends to unprivileged users. As reported in <a href=\"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/\">CVE-2020-9771<\/a>, allowing the Terminal to have Full Disk Access renders all data readable without any further security challenges: the entire disk can be mounted and read even by non-admin users. Exactly how this works is nicely laid out in this blog post <a href=\"https:\/\/theevilbit.github.io\/posts\/cve_2020_9771\/\">here<\/a>, but in short any user can create and mount a local snapshot of the system and read all other users&rsquo; data.<\/p>\n<p>[&#8230;]<\/p>\n<p>Because of this complication, administrators must be aware that even if they never grant FDA permissions, or even if they lock down Full Disk Access (perhaps via MDM solution), simply allowing an application to control the Finder in the &lsquo;Automation&rsquo; pane will bypass those restrictions. [&#8230;] Granting FDA in the usual way requires an administrator password. However, one can grant consent for automation of the Finder (and thus backdoor FDA) without a password.<\/p>\n<p>[&#8230;]<\/p>\n<p>Administrators need to be aware that TCC doesn&rsquo;t protect against files being written to TCC protected areas by unprivileged processes, and similarly nor does it stop files so written from being read by those processes.<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/07\/13\/bypassing-tcc-by-changing-the-environment\/\">Bypassing TCC By Changing the Environment<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/12\/07\/tcc-doesnt-prevent-protected-folders-from-being-listed\/\">Sandbox Doesn&rsquo;t Protect Files From stat()<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/07\/03\/mount_apfs-tcc-bypass-and-privilege-escalation\/\">mount_apfs TCC Bypass and Privilege Escalation<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Phil Stokes (via Hacker News): Full Disk Access means what it says: it can be set by one user with admin rights and it grants access to all users&rsquo; data system-wide. [&#8230;] When Alice grants FDA permission to the Terminal for herself, all users now have FDA permission via the Terminal as well. The upshot [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-07-13T18:06:35Z","apple_news_api_id":"6f50746c-9b8b-4a1d-9af0-f4c48f34a566","apple_news_api_modified_at":"2021-07-13T18:06:44Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/Ab1B0bJuLSh2a8PTEjzSlZg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,2095,547,30,1891,355,48,1960],"class_list":["post-33121","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-exploit","tag-permissions","tag-mac","tag-macos-11-0","tag-privacy","tag-security","tag-transparency-consent-and-control-tcc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33121","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=33121"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33121\/revisions"}],"predecessor-version":[{"id":33123,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33121\/revisions\/33123"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=33121"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=33121"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=33121"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}