The Powerdir  MacOS Bug Could Allow Attackers to Snoop On You

The Flaw Could Allow Attackers to Bypass Privacy Preferences, Giving Apps With No Right to Access Files, Microphones, or Cameras the Ability to Record You or Grab Screenshots

Microsoft last week released an advisory about a bug in macOS that Apple fixed the previous month — dubbed "powerdir" — that could let attackers hijack apps, install their malicious apps, use the microphone to eavesdrop or grab screenshots of your screen.

According to the Microsoft 365 Defender Research Team, the vulnerability allows malicious apps to bypass privacy preferences. Precisely, it could allow an attacker to bypass the operating system's Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to protected data in the machine.

Tracked as CVE-2021–30970, the flaw affects a logic issue in the Transparency, Consent, and Control (TCC) security framework, enabling users to configure their apps' privacy settings and provide access to protected files and app data. The Security & Privacy pane in the macOS System Preferences app serves as the front end of TCC.

While Apple implements control that limits access to TCC to only apps with full disk access, it's possible to stage an attack wherein a malicious application could workaround its privacy preferences to retrieve sensitive information from the machine.

Transparency, Consent, and Control (TCC)

TCC was introduced in 2012 in macOS Mountain Lion. It helps users to configure their apps' privacy settings by requiring that all apps get user consent before accessing files in:

• Documents,
• Downloads,
• Desktop,
• iCloud Drive,
• Calendar, and
• Network volumes,
• as well as before the apps can access the device's camera, microphone, or location data.

According to Microsoft's advisory, it is possible to programmatically change a target user's home directory and implant a fake TCC database, which stores the consent history of app requests.

As a result, if a bad actor gains full disk access to the TCC databases, the intruder could edit it to grant arbitrary permissions to any app of their choice. Including their own "app," this flaw effectively allows the app to run with previously not consented to configurations.

CVE-2021–30970 is also the third TCC-related bypass vulnerability to be discovered. All of them were remediated by Apple.

• Time Machine mounts (CVE-2020–9771): macOS offers a built-in backup and restores solution called Time Machine. It was discovered that Time Machine backups could be mounted (using the apfs_mount utility) with the "noowners" flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device's TCC policy without having full disk access.
• Environment variable poisoning (CVE-2020–9934): It was discovered that the user's tccd could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable (as introduced to tccd by launchd), an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead.
• Bundle-conclusion issue (CVE-2021–30713): First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, suppose an attacker knows of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app's bundle and "inherit" its TCC capabilities.

How to Update to macOS

Apple released a patch for this vulnerability — identified as CVE-2021–30970 — in macOS Big Sur and macOS Monterey as part of its December 13th, 2021 security updates.

The update is free, and you need to be connected to the internet. The installation will take several minutes (up to about 30 minutes). Also, your Mac needs to restart during the update. Therefore, make sure you backup your working windows and files before the update.

Here are the steps to do the installation:

1. Go to System Preferences in the Apple menu
2. Click on Software Update.
3. Your Mac will check to see if the update is available.
4. When it is, an Install button will appear.
5. Click Install and your Mac will start downloading the update. After that, it will start the installation.

Final Words

Apple remarked that the flaw was a logic issue allowing a malicious to bypass privacy preferences. Apple has since patched these vulnerabilities, but Microsoft said that its research shows that "the potential bypass to TCC.db can still occur."

This shows that macOS or other operating systems and applications become more hardened with each release. As a result, software vendors like Apple, security researchers, and the larger security community need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.

Thank you for reading. May InfoSec be with you🖖.

Also Published Here