Wednesday, July 1, 2026
HomeCyber Securitypowerdir bug provides entry to protected macOS person information

powerdir bug provides entry to protected macOS person information

[ad_1]

powerdir bug provides entry to protected macOS person information

Microsoft says menace actors may use a macOS vulnerability to bypass Transparency, Consent, and Management (TCC) expertise to entry customers’ protected information.

The Microsoft 365 Defender Analysis Group has reported the vulnerability dubbed powerdir (tracked as CVE-2021-30970) to Apple on July 15, 2021, through the Microsoft Safety Vulnerability Analysis (MSVR).

TCC is safety tech designed to dam apps from accessing delicate person information by permitting macOS customers to configure privateness settings for the apps put in on their programs and units linked to their Macs, together with cameras and microphones.

Whereas Apple has restricted TCC entry solely to apps with full disk entry and arrange options to robotically block unauthorized code execution, Microsoft safety researchers discovered that attackers may plant a second, specifically crafted TCC database that might enable them to entry protected person data.

“We found that it’s doable to programmatically change a goal person’s residence listing and plant a faux TCC database, which shops the consent historical past of app requests,” stated Jonathan Bar Or, a principal safety researcher at Microsoft.

“If exploited on unpatched programs, this vulnerability may enable a malicious actor to doubtlessly orchestrate an assault based mostly on the person’s protected private information.

“For instance, the attacker may hijack an app put in on the machine—or set up their very own malicious app—and entry the microphone to document personal conversations or seize screenshots of delicate info displayed on the person’s display.”

Apple has additionally patched different TCC bypasses reported since 2020, together with:

  • Time Machine mounts (CVE-2020-9771): macOS affords a built-in backup and restore answer known as Time Machine. It was found that Time Machine backups may very well be mounted (utilizing the apfs_mount utility) with the “noowners” flag. Since these backups comprise the TCC.db recordsdata, an attacker may mount these backups and decide the machine’s TCC coverage with out having full disk entry.
  • Surroundings variable poisoning (CVE-2020-9934): It was found that the person’s tccd may construct the trail to the TCC.db file by increasing $HOME/Library/Utility Assist/com.apple.TCC/TCC.db. Because the person may manipulate the $HOME setting variable (as launched to tccd by launchd), an attacker may plant a selected TCC.db file in an arbitrary path, poison the $HOME setting variable, and make TCC.db eat that file as a substitute.
  • Bundle conclusion difficulty (CVE-2021-30713): First disclosed by Jamf in a weblog publish concerning the XCSSET malware household, this bug abused how macOS was deducing app bundle info. For instance, suppose an attacker is aware of of a selected app that generally has microphone entry. In that case, they may plant their utility code within the goal app’s bundle and “inherit” its TCC capabilities.
powerdir PoC exploit
powerdir PoC exploit (Microsoft)

Apple has mounted the vulnerability in safety updates launched final month, on December 13, 2021. “A malicious utility might be able to bypass Privateness preferences,” the corporate defined within the safety advisory.

Apple addressed the logic difficulty behind the powerdir safety flaw bug with improved state administration.

“Throughout this analysis, we needed to replace our proof-of-concept (POC) exploit as a result of the preliminary model not labored on the most recent macOS model, Monterey,” Jonathan Bar Or added.

“This reveals that whilst macOS or different working programs and functions turn into extra hardened with every launch, software program distributors like Apple, safety researchers, and the bigger safety neighborhood, must repeatedly work collectively to determine and repair vulnerabilities earlier than attackers can make the most of them.”

Microsoft has beforehand reported discovering a safety flaw dubbed Shrootless that might enable an attacker to bypass System Integrity Safety (SIP) and carry out arbitrary operations, elevate privileges to root, and set up rootkits on susceptible units.

The corporate’s researchers additionally found new variants of macOS WizardUpdate malware (aka UpdateAgent or Vigram), up to date with new evasion and persistence ways.

Final 12 months, in June, Redmond revealed crucial firmware bugs in some NETGEAR router fashions that hackers may use to breach and transfer laterally inside enterprise networks.

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments