macOS Vulnerability "powerdir" could lead to unauthorized user data access

We discussed this vulnerability during Episode 147 on 23 May 2022

A Transparency Consent and Control (TCC) bypass in macOS. TCC is the subsystem responsible for gating off access to privacy settings and iCloud account data and such. The way it works is it tracks consent history for app requests and stores them in a database. Two databases are managed, a user database and a system-wide database. Microsoft stumbled on an old bypass, which abused the fact the tccd daemon would use the HOME environment variable to build the path to the TCC.db user database file. By manipulating environment variables, the HOME path could be switched to an attacker-controlled one to get a fake database loaded.

Apple fixed this by removing the HOME variable evaluation in favor of using getpwuid() to get the pwdir field. While this prevents easy bypass through env vars, the root issue still remains; an attacker can change the home directory in other ways. Two ways are detailed, first of which using the directory services utility to swap the home directory. This required root and relied on the dsimport and dsexport utilities for their TCC entitlement, though it’s still a privesc as it can allow hijacking the database without full disk access. The second method was the configd daemon, which also had the TCC entitlement, and supported the ability to load arbitrary code via bundle options.