{"id":37820,"date":"2022-12-05T16:01:30","date_gmt":"2022-12-05T21:01:30","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=37820"},"modified":"2022-12-26T15:31:03","modified_gmt":"2022-12-26T20:31:03","slug":"powerdir-macos-tcc-vulnerability","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/12\/05\/powerdir-macos-tcc-vulnerability\/","title":{"rendered":"Powerdir macOS TCC Vulnerability"},"content":{"rendered":"

Juli Clover<\/a> (in January):<\/p>\n

Microsoft’s 365 Defender Research Team this morning published details on a new “Powerdir” macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data.<\/p>

Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update[…]<\/p><\/blockquote>\n\n

Jonathan Bar Or<\/a>:<\/p>\n

\n

We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.<\/p>\n

[…]<\/p>\n

First, Apple protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution. Secondly, Apple enforced a TCC policy that only apps with full disk access can access the TCC.db files.<\/p>\n

[…]<\/p>\n

While the solution indeed prevents an attack by environment variable poisoning, it does not protect against the core issue. Thus, we set out to investigate: can an app programmatically change the user’s home directory and plant a fake TCC.db file?<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n