librarian (CVE-2023-38571) - a macOS TCC bypass in Music and TV
Posted on 2023-09-27 in blog
This post is a writeup of CVE-2023-38571, a macOS TCC bypass bug I found. It was supposed to be unveiled in my upcoming talk:
"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6,
but I needed to cut some bugs out. This is another one of them.
Background
While doing my various filesystem investigations on macOS it has come to my attention that quite a few
binaries possess the coveted kTCCServiceSystemPolicyAllFiles
in com.apple.private.tcc.allow
.
This entitlement as it's name might suggest allows us to access any file/directory on the system as if
we had FDA
(Full Disk Access).
Non-Apple researcher sidenote:
If you don't know what
FDA
is good for, it's a program's special ability to bypass the filtering implemented byTCC
(Transparency Consent and Control).TCC
is the framework that produces the annoying popup modals and it's the system that disallows users (including root) from accessing your Pictures, Contacts, location, camera, microphone and many other things. You can think of it as basically macOS/iOS AppArmor.Why do we care? Because TCC bypasses can fetch up to $100 000:
"$100,000: Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. As an example, you demonstrated that an iOS app is able to programmatically gain unauthorized access to all TCC-protected data."
Apple takes this very seriously - as they should - so any TCC bypass is a lucrative and impactful bug.
Here's a full list of FDA
-entitled executables for version macOS-14.0-23A339
:
/usr/libexec/diskimagesiod
/usr/libexec/taskgated-helper
/usr/libexec/AppleQEMUGuestAgent
/usr/libexec/taskgated
/usr/libexec/syspolicyd
/usr/libexec/containermanagerd
/usr/libexec/lsd
/usr/libexec/sandboxd
/usr/libexec/amfid
/usr/libexec/mdmclient
/usr/libexec/kernelmanager_helper
/usr/libexec/containermanagerd_system
/usr/libexec/secinitd
/usr/libexec/kernelmanagerd
/usr/libexec/warmd_agent
/usr/sbin/filecoordinationd
/usr/sbin/securityd
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorDubRobber
/Library/Developer/PrivateFrameworks/CoreSimulator.framework/Versions/A/XPCServices/SimulatorTrampoline.xpc/Contents/MacOS/SimulatorTrampoline
/System/Library/CoreServices/sharedfilelistd
/System/Library/CoreServices/launchservicesd
/System/Library/CoreServices/ScopedBookmarkAgent
/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/iconservicesagent
/System/Library/CoreServices/pbs
/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock
/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOverStarter
/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOver
/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd
/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper
/System/Library/CoreServices/WindowManager.app/Contents/MacOS/WindowManager
/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/Support/SSFileCopySender.bundle/Contents/MacOS/SSFileCopySender
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent
/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient
/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService
/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
/System/Library/CoreServices/WallpaperAgent.app/Contents/MacOS/WallpaperAgent
/System/Library/CoreServices/KeyboardAccessAgent.app/Contents/MacOS/KeyboardAccessAgent
/System/Library/ExtensionKit/Extensions/LockScreen.appex/Contents/MacOS/LockScreen
/System/Library/ExtensionKit/Extensions/TimeMachineSettings.appex/Contents/MacOS/TimeMachineSettings
/System/Library/ExtensionKit/Extensions/iLifeSlideshows.appex/Contents/MacOS/iLifeSlideshows
/System/Library/ExtensionKit/Extensions/Storage.appex/Contents/MacOS/Storage
/System/Library/ExtensionKit/Extensions/SecurityPrivacyExtension.appex/Contents/MacOS/SecurityPrivacyExtension
/System/Library/ExtensionKit/Extensions/Wallpaper.appex/Contents/MacOS/Wallpaper
/System/Library/ExtensionKit/Extensions/Sharing.appex/Contents/MacOS/Sharing
/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups
/System/Library/Templates/Data/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorDubRobber
/System/Library/PrivateFrameworks/MediaAnalysisAccess.framework/Versions/A/XPCServices/mediaanalysisd-access.xpc/Contents/MacOS/mediaanalysisd-access
/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/EraseService.xpc/Contents/MacOS/EraseService
/System/Library/PrivateFrameworks/TCC.framework/Support/tccd
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent
/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent
/System/Library/PrivateFrameworks/Hydra.framework/Versions/C/XPCServices/HydraRenderingService.xpc/Contents/MacOS/HydraRenderingService
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/StorageManagementService
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/DeveloperStorageExtension.appex/Contents/MacOS/DeveloperStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension
/System/Library/PrivateFrameworks/StorageManagement.framework/Versions/A/Resources/diskspaced
/System/Library/PrivateFrameworks/SystemMigrationNetwork.framework/Versions/A/Resources/migrationhelper
/System/Library/PrivateFrameworks/SharePointManagement.framework/XPCServices/SharePointManagementService.xpc/Contents/MacOS/SharePointManagementService
/System/Library/PrivateFrameworks/SiriTTSTraining.framework/SiriTTSTrainingAgent
/System/Library/PrivateFrameworks/RemoteViewServices.framework/XPCServices/com.apple.security.pboxd.xpc/Contents/MacOS/com.apple.security.pboxd
/System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistant_service
/System/Library/PrivateFrameworks/CloudPhotoLibrary.framework/Versions/A/Support/cloudphotod
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd
/System/Library/PrivateFrameworks/PodcastServices.framework/XPCServices/PodcastContentService.xpc/Contents/MacOS/PodcastContentService
/System/Library/PrivateFrameworks/WorkflowKit.framework/XPCServices/ShortcutsFileAccessHelper.xpc/Contents/MacOS/ShortcutsFileAccessHelper
/System/Library/PrivateFrameworks/LibraryRepair.framework/Versions/A/XPCServices/com.apple.library-repair.agent.xpc/Contents/MacOS/com.apple.library-repair.agent
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontd
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontmover
/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdwrite
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/DocumentPopoverViewService.xpc/Contents/MacOS/DocumentPopoverViewService
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService
/System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/quicklookd
/System/Library/InternetAccounts/internetAccountsMigrator
/System/Applications/Music.app/Contents/MacOS/Music
/System/Applications/Image Capture.app/Contents/MacOS/Image Capture
/System/Applications/TV.app/Contents/MacOS/TV
/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
/System/Applications/Utilities/Boot Camp Assistant.app/Contents/XPCServices/bootcampassistantinstalld.xpc/Contents/MacOS/bootcampassistantinstalld
/System/Volumes/Preboot/Cryptexes/App/System/Library/CoreServices/Web App.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
To get this I wrote my own tooling as Jonathan Levin's amazing entitlement database
does not have the ability to do complex queries. You can do the same with some - ugly but effective -
find
+ codesign
.
As you can see, there are many executables with this entitlement and while we can't execute a lot of them,
we can definitely run the ones in /System/Applications/
.
So why not dig into that? The obviously juicy ones from the list are Music
and TV
, two apps that pretty much
have zero reason to have FDA
, and they're huge.
Let's start with Music
. It has an absolutely shocking number of 447 unique library dependencies
,
which is quite a lot lower than the ~1200 I tweeted out earlier (my mistake), but this is still
plenty of attack surface for us to sink our teeth into.
As to the reason why Music
and TV
has FDA
entitlement, I haven't got the faintest clue.
Curiously I started messing around with these apps, and one thing was immediately obvious at the start. These apps do not particularly behave like how high-privileged apps should: they're quite happy to read/write files in unprotected directories in my home directory.
The bug
From here on out I'll talk exclusively about Music
, but TV
is similarly vulnerable.
Music
has an interesting feature: When it's running, it will import the files dropped to
~/Music/Music/Media.localized/Automatically Add to Music.localized
into the user's "media library".
The fact that this FDA
app will parse complex user-supplied data is alarming enough, but there's something
else here that takes the cake:
If it does not recognize the file as valid audio it will move the file to the folder:
~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized
Now, why is this bad? Well, because Music
ends up calling something like this:
rename(a, b);
where a and b is:
a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"
b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3
NOTE: The "~" is not present in the actual path, I used that to shorten it somewhat.
So, essentially a rename()
will take place, and I control the:
- file contents
- source filename
- destination filename
- a segment in both paths
The only twist is that a directory will be created with the current date and time, and our file is moved into it.
I will call this new directory datedir
.
As far as trivial bugs go, this one is pretty much as good as it gets.
The exploit
To exploit this we can simply redirect the destination part of the rename()
call. The fact that datedir
gets
created right before the rename()
is super helpful:
- wait for
datedir
to be created - remove
datedir
- replace
datedir
with a symbolic link to~/Library/Application Support/com.apple.TCC/
With this cheap trick we just copied myfile.mp3
to the TCC directory.
To actually do something useful, we'll
generate our own TCC db in a file called TCC.db
and dump that and repeat the exploit.
Music
does the rename()
and we end up fully controlling the user's TCC.db
to gain FDA
.
Non-Apple researcher sidenote:
There are actually two
TCC.db
s on the system: the user's is in our home and the system's is at/Library/Application Support/com.apple.TCC/
The significance of this is only the fact that we can't grant ourselves actual
FDA
by only controlling the user'sTCC.db
, that one lives in the system database.What we can do is give ourselves
Automation rights to Finder
, and sinceFinder
hasFDA
, so do we.
Demo and code
The full exploit code is on my github: https://github.com/gergelykalman/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV
The fix
Apple replaced the rename()
call with renameatx_np()
with the RENAME_NOFOLLOW_ANY
flag set, so it closed
the symlink vector for good.
Root causes
- Huge apps like
Music
andTV
should never have been granted theFDA
permission as they are impossible to secure retroactively rename()
is insecure as it has no ability to prevent symlinks, and the alternative is non-portable (not in POSIX)
Conclusion
The fix for the bug seems solid, but it fails to address the core underlying issue: As long as Music
has
FDA
bugs like this will keep happening. In fact I have reported several
similar vulnerabilities to Apple already.
I will talk about all of them and more in my talk at OBTS:
"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6
If you miss that, there will be a recording, slides and eventually blogposts.
Stay tuned and update your devices!
Timeline
- 2023.04.28: Report sent to Apple
- 2023.07.07: Request for update
- 2023.07.08: Apple: Still working on it
- 2023.07.08: Upon testing I realized that the fix was in the beta already, re-tested and let Apple know
- 2023.07.24: Bounty awarded
Apple fixed the bug pretty quickly, I can't complain.
Thanks Apple!
Special Thanks
I don't know who came up with the Finder Automation
technique, but I read about it in Csaba Fitzl's blog:
https://theevilbit.github.io/posts/cve-2021-30808/
Thanks Csaba :)