Researchers have released details for a recently patched vulnerability in macOS that, if successfully exploited, could allow attackers to gather sensitive data from victims by recording private conversations or taking screenshots on their phones.
The flaw (CVE-2021-30970) exists in Apple’s Transparency, Consent, and Control (TCC) framework, which was introduced in 2012 and allows users to configure their mobile app privacy settings, explicitly giving permissions for apps to access controls like their camera, microphone or location data. Researchers with Microsoft 365 Defender Research Team discovered proof-of-concept (PoC) exploits that allowed them to bypass safeguards for the TCC technology. The vulnerability makes it possible to programmatically change a target’s home directory and plant a fake TCC database, which stores the consent history of app requests, said Microsoft researchers.
“Given these, should a malicious actor gain full disk access to the TCC databases, they could edit it to grant arbitrary permissions to any app they choose, including their own malicious app,” according to Jonathan Bar Or, with Microsoft, in an analysis. “The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”
Apple issued a fix for the vulnerability in its Dec. 13 security updates for macOS Monterey 12.1. Of note, the vulnerability is only medium-severity, partly because a full attack would require attackers to either hijack an app that’s installed on a victim’s device or convince victims to install their own malicious app.
After such an attacker-controlled app is installed, the flaw would allow attackers to bypass the TCC controls in order to gain sensitive permissions for their app, such as accessing the microphone to record private conversations.
“The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”
Researchers actually developed and reported two PoC exploits, after discovering that apps have the capability to silently change the home directory if they are granted a TCC policy called kTCCServiceSystemPolicySysAdminFiles. In the first PoC exploit, reported in July, researchers bypassed that TCC policy restriction with the dsexport and dsimport utilities; specifically by exporting the Directory Services entry of a user, manipulating the output file, and importing the file again.
However, researchers realized their first PoC exploit no longer worked after the release of MacOS Monterey in October, which made changes in how dsimport works. They then created a second PoC exploit that leveraged an Apple System Configuration daemon called configd, which is responsible for configuration aspects of the local system. Configd did not have a hardened runtime flag to load custom configuration agents, meaning that researchers were able to inject and load completely unsigned code into it. And, because configd is an Apple-signed binary (with the value kTCCServiceSystemPolicySysAdminFiles) it could change the home directory silently.
“This results in the same outcome as our first PoC exploit, which allows the modification of settings to grant, for example, any app like Teams, to access the camera, among other services,” said researchers. "This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them."
Security researchers have previously found security holes in TCC. In 2020, Apple fixed a similar type of vulnerability (CVE-2020-9934) that stemmed from the handling of environment variables, allowing attackers to plant TCC.db files in an arbitrary path and make TCC.db consume that file instead. In May, researchers with Jamf found a flaw (CVE-2021-30713) in the TCC framework being abused by attackers behind the XCSSET malware.