{"id":34529,"date":"2021-12-23T16:33:55","date_gmt":"2021-12-23T21:33:55","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34529"},"modified":"2023-12-06T14:23:04","modified_gmt":"2023-12-06T19:23:04","slug":"bypass-tcc-via-privileged-helpers","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/12\/23\/bypass-tcc-via-privileged-helpers\/","title":{"rendered":"Bypass TCC via Privileged Helpers"},"content":{"rendered":"

Wojciech Reguła<\/a>:<\/p>\n

\n

This vulnerability has been disclosed on @Hack<\/a> in Saudi Arabia in 20+ Ways To Bypass Your Macos Privacy Mechanisms<\/a> presentation. In the end, it allowed impersonating TCC entitlements of any application installed on the device.<\/p>\n

[…]<\/p>\n

Applications may install privileged helpers in the \/Library\/PrivilegedHelpers<\/code> directory. When such a helper tries to access the protected resource (e.g. Address Book), TCC tries to determine which app is responsible for the helper. If the main app is determined, TCC checks whether the app has proper permissions and grants the helper access to the protected resources. The problem is that a malicious helper may trick TCC to select the wrong application as the main app and thus use its entitlements.<\/p>\n

[…]<\/p>\n

It’s important to understand that the SMJobBless<\/em> API is not required to register a privileged helper. A malicious application can just create a plist in the \/Library\/LaunchDaemons<\/code> directory, place the helper in the \/Library\/PrivilegedHelpers<\/code>, load&start the helper via launchctl. So, there is no guarantee that the SMAuthorizedClients<\/em> key will be pointing to the right owner.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n