Microsoft today disclosed a vulnerability in Apple's macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system.
The Microsoft Security Vulnerability Research (MSVR) team reported its discovery to Apple's product security team on July 15, 2021. Apple addressed CVE-2021-30970, dubbed "Powerdir", in a rollout of security updates released on Dec. 13.
TCC is an Apple subsystem introduced in 2012 in macOS Mountain Lion. The technology was designed to help users configure the privacy settings of their device's applications; for example, access to the camera or microphone, or their calendar or iCloud account. To secure TCC, Apple created a feature that prevents unauthorized code execution, and enforced a policy that limited TCC access only to applications with full disk access.
The vulnerability Microsoft found would allow adversaries to work around this feature and launch an attack on a macOS device. Microsoft confirms this has not been exploited in the wild, and it only affects macOS. iOS devices are not affected.
When an app requests access to protected user data, one of two actions can occur: if the app and request type have a record in the TCC databases, then a flag in the database entry says whether the request should be allowed or denied without user interaction. If they do not have a record, the user is prompted to grant or deny access.
Researchers learned it's possible to programmatically change a target's home directory and plant a fake TCC database, which stores the consent history of app requests, wrote Jonathan Bar Or, with the Microsoft 365 Defender Research Team, in a blog post on the findings. If exploited on an unpatched system, this flaw could let an attacker to potentially conduct an attack based on the victim's protected personal data, Or wrote.
"For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user's screen," he explained.
This is the latest in a string of TCC vulnerabilities Apple has patched in recent years. Last year, Apple patched CVE-2021-30713, a flaw that allowed attackers to bypass TCC protections to deliver XCSSET malware. Once on a machine, XCSSET used the bypass to take screenshot of the user's desktop without needing permissions, report Jamf researchers who discovered the bug.
The year prior, other reported vulnerabilities related to TCC bypass included CVE-2020-9771 and CVE-2020-9934. Apple's fix for the latter caught Microsoft's attention, and in the team's analysis, they discovered an exploit an attacker could use to change settings on any application. After it disclosed its findings to Apple, a similar bypass was presented in a Black Hat USA talk. However, Microsoft's exploit continued to work after Apple fixed the similar vulnerability.
Researchers did have to make changes to their proof-of-concept after the October release of macOS Monterey, which made changes in how the dsimport tool works and rendered its initial PoC exploit ineffective.
"This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them," Or wrote.