Microsoft 365 Defender Research team reported that,” The vulnerability was dubbed “powerdir” it to Apple on July 15, 2021. Apple addressed the issue as part of the macOS 11.6 and 12.1 updates which were released in December 2021 and included improved state management.
The flaw, identified as CVE-2021-30970, is related to a logic issue in the Transparency, Consent, and Control (TCC) security framework, which allows users to configure the privacy settings of their apps and grant access to protected files and app data. TCC is accessed through the Security & Privacy pane in the macOS System Preferences app.
Our POC exploits conduct many suspicious activities, including:
- Dropping a new TCC.db file with an appropriate directory structure
- Killing an existing tccd instance
- Suspicious Directory Services invocations such as dsimport and dsexport.
TCC keeps databases with consent history for app requests. When an app requests access to protected user data, one of two things may occur:
- If the app and the type of request have a record in the TCC databases, a flag in the database entry determines whether the request is allowed or denied automatically and without user interaction.
- If the app and the type of request do not have a record in the TCC databases, the user is prompted and must decide whether to grant or deny access. The decision is saved in the databases, so that any subsequent similar requests will fall under the first scenario.
While Apple enforces a policy that restricts TCC access to apps with full disc access, it is possible to orchestrate an attack in which a malicious application could work around its privacy preferences to retrieve sensitive information from the machine, potentially allowing an adversary to access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.
Microsoft 365 Defender Research Team member Jonathan Bar Or explained. “We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests, “If exploited on unpatched systems, this vulnerability could potentially enable a malicious actor to orchestrate an attack based on the user’s protected personal data.”
CVE-2021-30970 is the third TCC-related bypass vulnerability discovered, following CVE-2020-9934 and CVE-2020-27937, both of which have since been fixed by Apple. The company then patched a then-zero-day flaw in the same component (CVE-2021-30713) in May 2021, which could allow an attacker to gain full disc access, screen recording, or other permissions without users’ explicit consent.
Finally the researchers concluded that ,”This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.”