Microsoft security researchers discovered macOS exploit that could alter TCC permissions

Why is this important: Microsoft publicly disclosed a vulnerability in macOS on Monday that could be used to access or exfiltrate sensitive user data. The exploit is facilitated by a loophole in the transparency, consent and control (TCC) framework. The TCC platform is part of macOS that allows users to control which applications can access users’ data, files, and components.

Microsoft 365 Defender Research Team double the vulnerability (CVE-2021-300970) “powerdir” named after the software exploit created by Microsoft researcher Jonathan Bar Or. Microsoft informed Cupertino of the security breach in July 2021. Apple fixed the vulnerability in December with macOS 11.6 and 12.1.

“We have discovered that it is possible to programmatically change a target user’s home directory and create a fake TCC database, which stores the consent history of application requests,” Or explained. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. “

The screenshots show the program granting or access to the microphone and camera. However, TCC also maintains authorization for other components including screen recording, Bluetooth, location services, contacts, photos, and more.

While Microsoft created the software specifically for this task, any application could use the same technique to exploit the hole. The attacker needs full disk access to the TCC database, which could be granted through other methods. Once acquired, hackers can assign or reassign access permissions as they see fit.

Powerdir is the third TCC bypass found in the past two years. The two others (CVE-2020-9934 and CVE-2020-27937) were disclosed and corrected in 2020. Other flaw (CVE-2021-30713) found last year in all of Apple’s operating systems allowed attackers to arbitrarily control permissions, which hackers actively exploited before being patched in May.