Powerdir Vulnerability haunts macOS
Share this:
A newcvulnerability addressed recently in Apple’s macOS that could be exploited to gain unauthorized access to a user’s personal data, Microsoft explains.
Tracked as CVE-2021-30970, which Microsoft calls powerdir, allows an attacker to bypass the platform’s Transparency, Consent, and Control (TCC) technology and “potentially orchestrate an attack based on the user’s protected personal data.”
TCC is meant to help users configure the privacy settings in their applications, including access to features such as microphone, camera, location, calendar, and more. Users can access these settings under System Preferences > Security & Privacy > Privacy.
TCC maintains two types of databases one for permissions that apply to a specific user profile and another for permissions that apply system-wide – protected via System Integrity Protection and restricted access.
A user with full disk access could locate their TCC.db file, which is an SQLITE database, view it, and even edit it. Thus, a malicious actor with full disk access to the TCC databases could grant arbitrary permissions to their malicious apps, without the user ever being alerted on the matter.
The powerdir vulnerability, was identified while looking at the patch Apple released for a previous TCC vulnerability (CVE-2020-9934), and exists because the fix only prevents the attack, but does not address the core issue.
Microsoft discovered it was possible for an application to change the user’s home directory and plant a fake TCC database (TCC.db file). The attack only works with apps that are granted with a TCC policy maintained by the local or user-specific TCC.db.
Microsoft’s initial PoC code targeting the vulnerability relied on the Directory Services command-line utility (dscl) and was mitigated by changes Apple made in its platform with the release of macOS Monterey in October.
A second PoC exploit was then created using the Apple-signed binary “com.apple.private.tcc.allow,” which had permissions to modify the home directory silently. It also relied on configd to specify the custom bundle to load.
Apple addressed CVE-2021-30970 with the release of macOS Monterey 12.1 in December 2021.
