librarian (CVE-2023-38571) - a macOS TCC bypass in Music and TV

Posted on 2023-09-27 in blog

This post is a writeup of CVE-2023-38571, a macOS TCC bypass bug I found. It was supposed to be unveiled in my upcoming talk:

"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6,

but I needed to cut some bugs out. This is another one of them.

Background

While doing my various filesystem investigations on macOS it has come to my attention that quite a few binaries possess the coveted kTCCServiceSystemPolicyAllFiles in com.apple.private.tcc.allow.

This entitlement as it's name might suggest allows us to access any file/directory on the system as if we had FDA (Full Disk Access).

Non-Apple researcher sidenote:

If you don't know what FDA is good for, it's a program's special ability to bypass the filtering implemented by TCC (Transparency Consent and Control). TCC is the framework that produces the annoying popup modals and it's the system that disallows users (including root) from accessing your Pictures, Contacts, location, camera, microphone and many other things. You can think of it as basically macOS/iOS AppArmor.

Why do we care? Because TCC bypasses can fetch up to $100 000:

"$100,000: Broad app access to sensitive data normally protected by a TCC prompt or the platform sandbox. As an example, you demonstrated that an iOS app is able to programmatically gain unauthorized access to all TCC-protected data."

Apple takes this very seriously - as they should - so any TCC bypass is a lucrative and impactful bug.

Here's a full list of FDA-entitled executables for version macOS-14.0-23A339:

/usr/libexec/diskimagesiod  
/usr/libexec/taskgated-helper  
/usr/libexec/AppleQEMUGuestAgent  
/usr/libexec/taskgated  
/usr/libexec/syspolicyd  
/usr/libexec/containermanagerd  
/usr/libexec/lsd  
/usr/libexec/sandboxd  
/usr/libexec/amfid  
/usr/libexec/mdmclient  
/usr/libexec/kernelmanager_helper  
/usr/libexec/containermanagerd_system  
/usr/libexec/secinitd  
/usr/libexec/kernelmanagerd  
/usr/libexec/warmd_agent  
/usr/sbin/filecoordinationd  
/usr/sbin/securityd  
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorDubRobber  
/Library/Developer/PrivateFrameworks/CoreSimulator.framework/Versions/A/XPCServices/SimulatorTrampoline.xpc/Contents/MacOS/SimulatorTrampoline  
/System/Library/CoreServices/sharedfilelistd  
/System/Library/CoreServices/launchservicesd  
/System/Library/CoreServices/ScopedBookmarkAgent  
/System/Library/CoreServices/ReportCrash  
/System/Library/CoreServices/iconservicesagent  
/System/Library/CoreServices/pbs  
/System/Library/CoreServices/Dock.app/Contents/MacOS/Dock  
/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOverStarter  
/System/Library/CoreServices/VoiceOver.app/Contents/MacOS/VoiceOver  
/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd  
/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper  
/System/Library/CoreServices/WindowManager.app/Contents/MacOS/WindowManager  
/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder  
/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/Support/SSFileCopySender.bundle/Contents/MacOS/SSFileCopySender  
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent  
/System/Library/CoreServices/CoreServicesUIAgent.app/Contents/MacOS/CoreServicesUIAgent  
/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient  
/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService  
/System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight  
/System/Library/CoreServices/WallpaperAgent.app/Contents/MacOS/WallpaperAgent  
/System/Library/CoreServices/KeyboardAccessAgent.app/Contents/MacOS/KeyboardAccessAgent  
/System/Library/ExtensionKit/Extensions/LockScreen.appex/Contents/MacOS/LockScreen  
/System/Library/ExtensionKit/Extensions/TimeMachineSettings.appex/Contents/MacOS/TimeMachineSettings  
/System/Library/ExtensionKit/Extensions/iLifeSlideshows.appex/Contents/MacOS/iLifeSlideshows  
/System/Library/ExtensionKit/Extensions/Storage.appex/Contents/MacOS/Storage  
/System/Library/ExtensionKit/Extensions/SecurityPrivacyExtension.appex/Contents/MacOS/SecurityPrivacyExtension  
/System/Library/ExtensionKit/Extensions/Wallpaper.appex/Contents/MacOS/Wallpaper  
/System/Library/ExtensionKit/Extensions/Sharing.appex/Contents/MacOS/Sharing  
/System/Library/ExtensionKit/Extensions/UsersGroups.appex/Contents/MacOS/UsersGroups  
/System/Library/Templates/Data/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorDubRobber  
/System/Library/PrivateFrameworks/MediaAnalysisAccess.framework/Versions/A/XPCServices/mediaanalysisd-access.xpc/Contents/MacOS/mediaanalysisd-access  
/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/XPCServices/EraseService.xpc/Contents/MacOS/EraseService  
/System/Library/PrivateFrameworks/TCC.framework/Support/tccd  
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd  
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent  
/System/Library/PrivateFrameworks/SystemMigration.framework/Versions/A/Resources/systemmigrationd  
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper  
/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent  
/System/Library/PrivateFrameworks/Hydra.framework/Versions/C/XPCServices/HydraRenderingService.xpc/Contents/MacOS/HydraRenderingService  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/StorageManagementService  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/DeveloperStorageExtension.appex/Contents/MacOS/DeveloperStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension  
/System/Library/PrivateFrameworks/StorageManagement.framework/Versions/A/Resources/diskspaced  
/System/Library/PrivateFrameworks/SystemMigrationNetwork.framework/Versions/A/Resources/migrationhelper  
/System/Library/PrivateFrameworks/SharePointManagement.framework/XPCServices/SharePointManagementService.xpc/Contents/MacOS/SharePointManagementService  
/System/Library/PrivateFrameworks/SiriTTSTraining.framework/SiriTTSTrainingAgent  
/System/Library/PrivateFrameworks/RemoteViewServices.framework/XPCServices/com.apple.security.pboxd.xpc/Contents/MacOS/com.apple.security.pboxd  
/System/Library/PrivateFrameworks/UserActivity.framework/Agents/useractivityd  
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService  
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistant_service  
/System/Library/PrivateFrameworks/CloudPhotoLibrary.framework/Versions/A/Support/cloudphotod  
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeassetd  
/System/Library/PrivateFrameworks/PodcastServices.framework/XPCServices/PodcastContentService.xpc/Contents/MacOS/PodcastContentService  
/System/Library/PrivateFrameworks/WorkflowKit.framework/XPCServices/ShortcutsFileAccessHelper.xpc/Contents/MacOS/ShortcutsFileAccessHelper  
/System/Library/PrivateFrameworks/LibraryRepair.framework/Versions/A/XPCServices/com.apple.library-repair.agent.xpc/Contents/MacOS/com.apple.library-repair.agent  
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontd  
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/fontmover  
/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/com.apple.CodeSigningHelper.xpc/Contents/MacOS/com.apple.CodeSigningHelper  
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdwrite  
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync  
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds  
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared  
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/DocumentPopoverViewService.xpc/Contents/MacOS/DocumentPopoverViewService  
/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/com.apple.appkit.xpc.openAndSavePanelService.xpc/Contents/MacOS/com.apple.appkit.xpc.openAndSavePanelService  
/System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/quicklookd  
/System/Library/InternetAccounts/internetAccountsMigrator  
/System/Applications/Music.app/Contents/MacOS/Music  
/System/Applications/Image Capture.app/Contents/MacOS/Image Capture  
/System/Applications/TV.app/Contents/MacOS/TV  
/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information  
/System/Applications/Utilities/Boot Camp Assistant.app/Contents/XPCServices/bootcampassistantinstalld.xpc/Contents/MacOS/bootcampassistantinstalld  
/System/Volumes/Preboot/Cryptexes/App/System/Library/CoreServices/Web App.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker  
/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker

To get this I wrote my own tooling as Jonathan Levin's amazing entitlement database does not have the ability to do complex queries. You can do the same with some - ugly but effective - find + codesign.

As you can see, there are many executables with this entitlement and while we can't execute a lot of them, we can definitely run the ones in /System/Applications/.

So why not dig into that? The obviously juicy ones from the list are Music and TV, two apps that pretty much have zero reason to have FDA, and they're huge.

Let's start with Music. It has an absolutely shocking number of 447 unique library dependencies, which is quite a lot lower than the ~1200 I tweeted out earlier (my mistake), but this is still plenty of attack surface for us to sink our teeth into.

As to the reason why Music and TV has FDA entitlement, I haven't got the faintest clue.

Curiously I started messing around with these apps, and one thing was immediately obvious at the start. These apps do not particularly behave like how high-privileged apps should: they're quite happy to read/write files in unprotected directories in my home directory.

The bug

From here on out I'll talk exclusively about Music, but TV is similarly vulnerable.

Music has an interesting feature: When it's running, it will import the files dropped to ~/Music/Music/Media.localized/Automatically Add to Music.localized into the user's "media library".

The fact that this FDA app will parse complex user-supplied data is alarming enough, but there's something else here that takes the cake:

If it does not recognize the file as valid audio it will move the file to the folder:

~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized

Now, why is this bad? Well, because Music ends up calling something like this:

rename(a, b); where a and b is:

a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"

b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3

NOTE: The "~" is not present in the actual path, I used that to shorten it somewhat.

So, essentially a rename() will take place, and I control the:

  • file contents
  • source filename
  • destination filename
  • a segment in both paths

The only twist is that a directory will be created with the current date and time, and our file is moved into it. I will call this new directory datedir.

As far as trivial bugs go, this one is pretty much as good as it gets.

The exploit

To exploit this we can simply redirect the destination part of the rename() call. The fact that datedir gets created right before the rename() is super helpful:

  • wait for datedir to be created
  • remove datedir
  • replace datedir with a symbolic link to ~/Library/Application Support/com.apple.TCC/

With this cheap trick we just copied myfile.mp3 to the TCC directory.

To actually do something useful, we'll generate our own TCC db in a file called TCC.db and dump that and repeat the exploit.

Music does the rename() and we end up fully controlling the user's TCC.db to gain FDA.

Non-Apple researcher sidenote:

There are actually two TCC.dbs on the system: the user's is in our home and the system's is at /Library/Application Support/com.apple.TCC/

The significance of this is only the fact that we can't grant ourselves actual FDA by only controlling the user's TCC.db, that one lives in the system database.

What we can do is give ourselves Automation rights to Finder, and since Finder has FDA, so do we.

Demo and code

Demo video

The full exploit code is on my github: https://github.com/gergelykalman/CVE-2023-38571-a-macOS-TCC-bypass-in-Music-and-TV

The fix

Apple replaced the rename() call with renameatx_np() with the RENAME_NOFOLLOW_ANY flag set, so it closed the symlink vector for good.

Root causes

  1. Huge apps like Music and TV should never have been granted the FDA permission as they are impossible to secure retroactively
  2. rename() is insecure as it has no ability to prevent symlinks, and the alternative is non-portable (not in POSIX)

Conclusion

The fix for the bug seems solid, but it fails to address the core underlying issue: As long as Music has FDA bugs like this will keep happening. In fact I have reported several similar vulnerabilities to Apple already.

I will talk about all of them and more in my talk at OBTS:

"Unexpected, Unreasonable, Unfixable: Filesystem Attacks on macOS" at OBTS v6

If you miss that, there will be a recording, slides and eventually blogposts.

Stay tuned and update your devices!

Timeline

  • 2023.04.28: Report sent to Apple
  • 2023.07.07: Request for update
  • 2023.07.08: Apple: Still working on it
  • 2023.07.08: Upon testing I realized that the fix was in the beta already, re-tested and let Apple know
  • 2023.07.24: Bounty awarded

Apple fixed the bug pretty quickly, I can't complain.

Thanks Apple!

Special Thanks

I don't know who came up with the Finder Automation technique, but I read about it in Csaba Fitzl's blog: https://theevilbit.github.io/posts/cve-2021-30808/

Thanks Csaba :)