PoC Exploit Code Released For macOS TCC Bypass Vulnerability

   January 9, 2025  Posted in CyberSecurityNews


A proof-of-concept (PoC) exploit code for a critical vulnerability in macOS, identified as CVE-2024-54527 has been disclosed.

This vulnerability allows attackers to bypass the Transparency, Consent, and Control (TCC) protection mechanism, potentially granting unauthorized access to sensitive user data.

The vulnerability, which affects versions of macOS prior to Sonoma 14.0, exists in the XPC service located at /System/Library/Frameworks/MediaLibrary.framework/Versions/A/XPCServices/com.apple.MediaLibraryService.xpc. This service possesses powerful TCC entitlements, including “com.apple.private.tcc.manager” and “com.apple.private.tcc.allow”.

Exploitation Details

According to researcher the exploit takes advantage of the fact that the vulnerable XPC service is neither signed with Hardened Runtime nor Library Validation. An attacker can exploit this by:

  1. Placing a malicious plugin in the user’s Library folder
  2. Triggering the XPC service to load the plugin
  3. Gaining the service’s TCC entitlements to bypass protection

The researcher who discovered the vulnerability has uploaded the exploit code, demonstrating the severity of the issue.

This TCC bypass could allow malicious actors to:

  • Access user photos, contacts, and other sensitive data
  • Modify TCC settings directly
  • Potentially escalate privileges on the system

Apple has addressed this vulnerability in macOS Sonoma 14.0 and later versions. The fix involves a new security mitigation in the AppleMobileFileIntegrity.kext, called “enforceTCCEntitlementHardening”.

This mitigation enforces stricter controls on processes with specific TCC-related entitlements:

  • Processes with “com.apple.private.tcc.allow” or “com.apple.private.tcc.manager” entitlements are now forcibly hardened with library validation at runtime
  • The vulnerable XPC service is now signed with Hardened Runtime
  • An additional entitlement, “com.apple.private.amfi.version-restriction”, has been implemented to prevent downgrade attacks

Recommendations

Users and administrators are strongly advised to:

  1. Update to the latest version of macOS immediately
  2. Be cautious when running unsigned or untrusted applications
  3. Monitor system activity for any suspicious behavior

While Apple has patched this specific issue, it highlights the importance of continuous security updates and the potential risks associated with powerful system services.

As the details of this vulnerability are now public, it’s crucial for users to stay vigilant and keep their systems up-to-date to protect against potential exploits based on this and similar vulnerabilities.

ANY.RUN Threat Intelligence Lookup - Extract Millions of IOC's for Interactive Malware Analysis: Try for Free



Source link