Microsoft: This macOS bug could bypass controls and access private user data
Microsoft has detailed how malware on macOS can bypass privacy settings implemented by Apple's macOS system called Transparency, Consent, and Control (TCC) to control application access to sensitive user data.
The 'powerdir' beast, which Apple fixed in its December 13 update for macOS up to Monterey, will allow an attacker to bypass TCC to gain access to user protection data.
The beast was discovered by Microsoft security researcher Jonathan Bar Or. Microsoft is interested in macOS security because Defender for Endpoint can be used in a campaign to protect non-Windows devices.
Microsoft's Defender 365 Review Team noted in a blog post that Apple has introduced a feature to protect TCC that "prevents unauthorized code execution and implements a policy that restricts access to TCC directly to apps with full disk access. "
However, Or found that it is “possible to programmatically modify a target user's home registry and install a fake TCC database, which stores app application permission history. ”
"If exploits are exploited by undeveloped systems, this vulnerability could allow a malicious user to launch an attack based on user-protected personal data," Microsoft said.
An attacker could take over an already installed app or install their own malicious app to gain access to the microphone to record private conversations or screenshots of sensitive information displayed on the screen capturing the user, Microsoft explained.
TCC appeared in 2012 in OS X Mountain Lion and is behind the system alerts that users see when granting or denying 'permission' for certain applications to access private data, which includes access to the device’s camera, microphone, location, and access to the user’s calendar. or iCloud account.
Apple does not detail TCC directly in its security manual, however, through security company Sentinal One, the purpose of TCC is explained in a section of the manual that explains how which macOS and iOS protect app access to user data. Users can manage these privacy protections in macOS within the Security & Privacy section of System Preferences.
“Apple devices help prevent apps from accessing unauthorized user personal information using a variety of technologies including Data Vault. In iOS and iPadOS settings, or System Preferences in macOS, users can see which apps allowed them to access certain information in addition to any future donation or access revocation, "he explained. Apple.
Microsoft's TCC bypass fault offers a new way to bypass protections Apple has added to previously discovered TCC bypasses, including CVE-2022-9771, CVE-2022-9934, and CVE-2022-30713.
To protect TCC from these bypass faults, Apple introduced a feature that prevents unauthorized code execution and implemented a policy that prevents access to TCC directly to apps with full disk access. These solutions protected TCC.db (database) files from being incorrectly accessed through, for example. Backup Time Machine or other file paths.
Microsoft bypassed Apple's TCC protections by sending a fake TCC.db file and modifying the Home directory using a special sudo 'superuser' command in the Directory Services command - line utility.
"Although we require root access, we have found that this application only works if the application is supported by the kTCCServiceSystemPolicySysAdminFiles TCC policy, which is maintained by the local TCC.db or a specific user," Microsoft explained .
"That's weaker than having full disk access, but we have been able to overcome that barrier with the dsexport and dsimport facilities."
Microsoft's concept testing showed that attackers could change the settings of any application, possibly allowing them to access a microphone and camera on any app - hence the name "Powerdir".