Microsoft Details ‘powerdir’ macOS Vulnerability Leading to Data Leaks
A vulnerability addressed recently in Apple’s macOS platform could be exploited to gain unauthorized access to a user’s personal data, Microsoft explains.
Tracked as CVE-2021-30970, the new security error, which Microsoft calls powerdir, allows an attacker to bypass the platform’s Transparency, Consent, and Control (TCC) technology and “potentially orchestrate an attack based on the user’s protected personal data.”
Introduced in 2012, TCC is meant to help users configure the privacy settings in their applications, including access to features such as microphone, camera, location, calendar, and more. Users can access these settings under System Preferences > Security & Privacy > Privacy.
TCC maintains two types of databases – one for permissions that apply to a specific user profile and another for permissions that apply system-wide – protected via System Integrity Protection (SIP – prevents unauthorized code execution) and restricted access (to apps with full disk access only).
“We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” Microsoft says.
A user with full disk access could locate their TCC.db file, which is an SQLITE database, view it, and even edit it. Thus, a malicious actor with full disk access to the TCC databases could grant arbitrary permissions to their malicious apps, without the user ever being alerted on the matter.
The powerdir vulnerability, Microsoft explains, was identified while looking at the patch Apple released for a previous TCC vulnerability (CVE-2020-9934), and exists because the fix only prevents the attack, but does not address the core issue.
Thus, Microsoft discovered it was possible for an application to change the user’s home directory and plant a fake TCC database (TCC.db file). The attack only works with apps that are granted with a TCC policy maintained by the local or user-specific TCC.db.
Microsoft’s initial proof-of-concept (PoC) code targeting the vulnerability relied on the Directory Services command-line utility (dscl) and was mitigated by changes Apple made in its platform with the release of macOS Monterey in October.
A second PoC exploit was then created using the Apple-signed binary “com.apple.private.tcc.allow,” which had permissions to modify the home directory silently. It also relied on configd to specify the custom bundle to load.
Apple addressed CVE-2021-30970 with the release of macOS Monterey 12.1 in December 2021.