Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS


Dec 12, 2024Ravie LakshmananVulnerability / Device Security

Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS

Details have emerged about a now-patched security vulnerability in Apple’s iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information.

The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved validation of symbolic links (symlinks) in iOS 18, iPadOS 18, and macOS Sequoia 15.

Jamf Threat Labs, which discovered and reported the flaw, said the TCC bypass could be exploited by a rogue installed on the system to grab sensitive data without users’ knowledge.

TCC serves as a critical security protection in Apple devices, giving end users a way to allow or deny a request from apps to access sensitive data, such as GPS location, contacts, and photos, among others.

Cybersecurity

“This TCC bypass allows unauthorized access to files and folders, Health data, the microphone or camera, and more without alerting users,” the company said. “This undermines user trust in the security of iOS devices and exposes personal data to risk.”

At its core, the vulnerability enables a malicious app running in the background to intercept actions made by the user to copy or move files within the Files app and redirect them to a location under their control.

This hijack works by taking advantage of the elevated privileges of fileproviderd, a daemon that handles file operations associated with iCloud and other third-party cloud file managers, to move the files, after which they can be uploaded to a remote server.

“Specifically, when a user moves or copies files or directories using Files.app within a directory accessible by a malicious app running in the background, the attacker can manipulate symlinks to deceive the Files app,” Jamf said.

“The new symlink attack method first copies an innocent file, providing a detectable signal to a malicious process that the copying has started. Then, a symlink is inserted after the copying process is already underway, effectively bypassing the symlink check.”

An attacker could therefore employ the method to copy, move, or even delete various files and directories under the path “/var/mobile/Library/Mobile Documents/” to access iCloud backup data associated with both first- and third-party apps and exfiltrate them.

What’s significant about this loophole is that it entirely undermines the TCC framework and doesn’t trigger any prompts to the user. That having said, the type of data that can be accessed depends on which system process is executing the file operation.

“The severity of these vulnerabilities depends on the privileges of the targeted process,” Jamf said. “This reveals a gap in access control enforcement for certain data types, as not all data can be extracted without alert due to this race condition.”

Cybersecurity

“For example, data within folders protected by randomly assigned UUIDs and data retrieved through specific APIs remain unaffected by this type of attack.”

The development comes as Apple released updates for all its software to remediate several issues, including four flaws in WebKit that could result in memory corruption or process crash, and a logic vulnerability in Audio (CVE-2024-54529) that could permit an app to execute arbitrary code with kernel privileges.

Also patched by the iPhone maker is a bug in Safari (CVE-2024-44246) that could allow a website to glean the originating IP address when adding it to the Reading List on a device with Private Relay enabled. Apple said it fixed the problem with “improved routing of Safari-originated requests.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link