macOS Vulnerability "powerdir" could lead to unauthorized user data access
A Transparency Consent and Control (TCC) bypass in macOS. TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such. The way it works is it tracks consent history for app requests and stores them in a database. Two databases are managed, a user database and a system-wide database. Microsoft stumbled on an old bypass, which abused the fact the tccd
daemon would use the HOME
environment variable to build the path to the TCC.db
user database file. By manipulating environment variables, the HOME
path could be switched to an attacker-controlled one to get a fake database loaded.
Apple fixed this by removing the HOME
variable evaluation in favor of using getpwuid()
to get the pwdir
field. While this prevents easy bypass through env vars, the root issue still remains; an attacker can change the home directory in other ways. Two ways are detailed, first of which using the directory services utility to swap the home directory. This required root and relied on the dsimport
and dsexport
utilities for their TCC entitlement, though it’s still a privesc as it can allow hijacking the database without full disk access. The second method was the configd
daemon, which also had the TCC entitlement, and supported the ability to load arbitrary code via bundle
options.