A detailed technical and a proof-of-concept (PoC) exploit code from security researcher Mickey Jin has unveiled a critical TCC (Transparency, Consent, and Control) bypass vulnerability in macOS, CVE-2024-54527. This vulnerability, affecting the MediaLibraryService XPC service, demonstrates how attackers can manipulate entitlements to bypass TCC protections, posing significant security risks.
The flaw lies in the XPC service /System/Library/Frameworks/MediaLibrary.framework/Versions/A/XPCServices/com.apple.MediaLibraryService.xpc. According to Jin, this service holds powerful TCC entitlements, including:
- com.apple.private.tcc.manager: Grants direct modification access to the TCC database (TCC.db) via the tccd daemon.
- com.apple.private.tcc.allow: Enables access to kTCCServicePhotos, facilitating media-related operations.
“An attacker can put a malicious plugin to the ILUserLibraryPluginLocationPath and get it loaded by the entitled XPC service. As a result, the attacker can enjoy the powerful entitlement “com.apple.private.tcc.manager” to bypass the TCC protection completely,” Jin explains.
The issue is exacerbated by the fact that one plugin path, ~/Library/Application Support/iLifeMediaBrowser/Plug-Ins, is neither protected by SIP (System Integrity Protection) nor TCC, making it vulnerable to modification without root access.
Jin describes the exploit process, which involves injecting a malicious plugin into the unprotected plugin path. The unsigned plugin can then be loaded by the vulnerable XPC service, leveraging its entitlements to bypass macOS TCC protections entirely.
To execute the exploit:
- Compile a payload and place it in the appropriate path.
- Use a vulnerable version of the XPC service, copied from an older macOS system, to avoid new security features like Launch Constraints introduced in macOS Ventura.
- Compile and run the exploit program with an ad-hoc valid code signature.
The exploit code is publicly available on Jin’s GitHub repository.
Apple has introduced mitigations such as Launch Constraints in macOS Ventura to counter these types of exploits. However, Jin emphasizes that older macOS binaries remain vulnerable, allowing attackers to circumvent newer security measures.
Jin advises users to update their macOS systems to the latest version and urges Apple to enhance protection for older binaries.
Related Posts:
- macOS Security Compromised: Novel Exploit Bypasses Sandbox Protections
- CVE-2024-55950: Tabby Terminal Emulator Vulnerability Exposes macOS Users to Privacy and Security Risks
- PoC Exploit Released for MacOS SUHelper Root Privilege Escalation
- Researcher Details CVE-2024-44131 – A Critical TCC Bypass in macOS and iOS
- HM Surf (CVE-2024-44133): macOS Flaw Exposing Cameras and Microphones to Hackers, PoC Published
