Microsoft security researchers found a macOS exploit that can alter TCC permissions

On Monday, Microsoft publicly disclosed a vulnerability in macOS that could be used to access or exfiltrate sensitive user data. The exploit is facilitated by a flaw in the Transparency, Consent, and Control (TCC) framework. The TCC platform is part of macOS that allows users to control what apps can access users’ data, files, and components.

Microsoft 365 Defender Research Team dubbed the vulnerability (CVE-2021-30970) “powerdir” named after the software exploit created by Microsoft researcher Jonathan Bar Or. Microsoft notified Cupertino of the security flaw in July 2021. Apple patched the flaw in December with macOS 11.6 and 12.1.

“We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” explained Or. “If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.”

Screenshots show the program granting Or access to both the microphone and camera. However, the TCC also maintains permission for other components, including screen recording, Bluetooth, location services, contacts, photos, and more.

While Microsoft created the software specifically for this task, any app could use the same technique to exploit the hole. The attacker needs full disk access to the TCC database, which could be granted via other methods. Once gained, hackers can assign or reassign access permissions as they please.

Powerdir is the third TCC bypass found in the last couple of years. The other two (CVE-2020-9934 and CVE-2020-27937) were disclosed and patched in 2020. Another flaw (CVE-2021-30713) found last year in all Apple operating systems allowed attackers arbitrary control over permissions, which hackers actively exploited before being fixed in May.