Microsoft says threat actors could use a macOS vulnerability to bypass transparency, consent, and control (TCC) technology to access protected user data.
Microsoft 365 Defender research team reported the so-called vulnerability powerdir (tracked as CVE-2021-300970) to Apple on July 15, 2021, via Microsoft Security Vulnerability Research (MSVR).
TCC is a security technology designed to prevent applications from accessing sensitive user data by allowing macOS users to configure privacy settings for applications installed on their systems and devices connected to their Macs, including cameras and microphones. .
While Apple restricted TCC access to applications with full disk access and configured features to automatically block unauthorized code execution, Microsoft security researchers discovered that attackers could create a second database. Specially crafted TCC data that would allow them to access protected user information.
“We have discovered that it is possible to programmatically modify the home directory of a target user and create a fake TCC database, which stores the consent history of application requests.” noted Jonathan Bar Or, Senior Security Researcher at Microsoft.
“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.
“For example, the attacker could hijack an application installed on the device—
Apple also fixed other TCC bypasses reported since 2020, including:
- Time machine mounts (CVE-2020-9771): macOS offers a built-in backup and restore solution called Time Machine. It was discovered that Time Machine backups can be mounted (using the apfs_mount utility) with the “noowners” flag. Since these backups contain the TCC.db files, an attacker could mount these backups and determine the device’s TCC policy without having full disk access.
- Variable environment poisoning (CVE-2020-9934): It was discovered that the user’s tccd could create the path to the TCC.db file by expanding $ HOME / Library / Application Support / com.apple.TCC / TCC.db. Since the user could manipulate the $ HOME environment variable (as introduced in tccd by launchd), an attacker could place a chosen TCC.db file in an arbitrary path, poison the $ HOME environment variable and have TCC.db consume this file instead.
- Package conclusion problem (CVE-2021-30713): First disclosed by Jamf In a blog post on the XCSSET malware family, this bug abused the way macOS infers information about the application set. For example, suppose an attacker knows of a specific application that typically has access to the microphone. In this case, they could crash their application code into the target application’s bundle and “inherit” its TCC capabilities.
Apple addressed the vulnerability in security updates released last month, December 13, 2021. “A malicious application may be able to bypass privacy preferences,” the company said in the report. safety notice.
Apple addressed the logic issue behind the powerdir security vulnerability bug with improved state management.
“During this research, we had to update our proof of concept (POC) exploit because the initial version no longer worked on the latest version of macOS, Monterey,” added Jonathan Bar Or.
“This shows that while macOS or other operating systems and applications become increasingly hardened with each release, software vendors like Apple, security researchers and the security community at large need to work together. continuously to identify and remediate vulnerabilities before attackers can take advantage of them. them.”
Microsoft previously reported that it found a security vulnerability called Shrootless that would allow an attacker to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate privileges to root, and install rootkits on vulnerable devices.
Company researchers also discovered new variants of the macOS WizardUpdate malware (aka UpdateAgent or Vigram), updated with new evasion and persistence tactics.
Last year in June, Redmond revealed critical firmware bugs in certain models of NETGEAR routers that hackers could use to penetrate and roam sideways within corporate networks.