{"id":104385,"date":"2022-01-10T09:00:00","date_gmt":"2022-01-10T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=104385"},"modified":"2023-09-11T14:56:45","modified_gmt":"2023-09-11T21:56:45","slug":"new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/01\/10\/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access\/","title":{"rendered":"New macOS vulnerability, \u201cpowerdir,\u201d could lead to unauthorized user data access"},"content":{"rendered":"\n

Following our discovery of the \u201cShrootless\u201d vulnerability<\/a>, Microsoft uncovered a new macOS vulnerability, \u201cpowerdir,\u201d that could allow an attacker to bypass the operating system\u2019s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user\u2019s protected data. We shared our findings with Apple through Coordinated Vulnerability Disclosure<\/a> (CVD) via Microsoft Security Vulnerability Research<\/a> (MSVR). Apple released a fix for this vulnerability, now identified as CVE-2021-30970<\/a>, as part of security updates<\/a> released on December 13, 2021. We encourage macOS users to apply these security updates as soon as possible.<\/p>\n\n\n\n

Introduced by Apple in 2012 on macOS Mountain Lion, TCC is essentially designed to help users configure the privacy settings of their apps, such as access to the device\u2019s camera, microphone, or location, as well as access to the user\u2019s calendar or iCloud account, among others. To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. We discovered that it is possible to programmatically change a target user\u2019s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user\u2019s protected personal data. For example, the attacker could hijack an app installed on the device\u2014or install their own malicious app\u2014and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user\u2019s screen.<\/p>\n\n\n\n

It should be noted that other TCC vulnerabilities were previously reported and subsequently patched before our discovery. It was also through our examination of one of the latest fixes that we came across this bug. In fact, during this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey. This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.<\/p>\n\n\n\n

Microsoft security researchers continue to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. The discoveries and insights from our research enrich our protection technologies and solutions, such as Microsoft Defender for Endpoint<\/a>, which allows organizations to gain visibility to their networks that are increasingly becoming heterogeneous. For example, this research informed the generic detection of behavior associated with this vulnerability, enabling Defender for Endpoint to immediately provide visibility and protection against exploits even before the patch is applied. Such visibility also enables organizations to detect, manage, respond to, and remediate vulnerabilities and cross-platform threats faster.<\/p>\n\n\n\n

In this blog post, we will share some information about TCC, discuss previously reported vulnerabilities, and present our own unique findings.<\/p>\n\n\n\n

TCC overview<\/h2>\n\n\n\n

As mentioned earlier, TCC is a technology that prevents apps from accessing users\u2019 personal information without their prior consent and knowledge. The user commonly manages it under System Preferences in macOS (System Preferences > Security & Privacy > Privacy):<\/p>\n\n\n\n

\"Screenshot
Figure 1. The macOS Security & Privacy pane that serves as the front end of TCC. <\/figcaption><\/figure>\n\n\n\n

TCC maintains databases that contain consent history for app requests. Generally, when an app requests access to protected user data, one of two things can happen:<\/p>\n\n\n\n

  1. If the app and the type of request have a record in the TCC databases, then a flag in the database entry dictates whether to allow or deny the request without automatically and without any user interaction.<\/li>
  2. If the app and the type of request do not have a record in the TCC databases, then a prompt is presented to the user, who decides whether to grant or deny access. The said decision is backed into the databases so that succeeding similar requests will now fall under the first scenario.<\/li><\/ol>\n\n\n\n

    Under the hood, there are two kinds of TCC databases. Each kind maintains only a subset of the request types:<\/p>\n\n\n\n