Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Bypassing the OS X Transparency, Consent, and Control (TCC) Framework For User Data
Matt ShockleyPosted 5 Years Ago- When sensitive data needs to be taken from MacOS, a big text box appears asking for permission to see. When permission has already been asked for and agreed, the permissions are no longer asked for.
- The permissions are stored in a database on the local file system. In order to access this database, you must have the tcc.manager permissions.
- The bug is actually pretty trivial! When attempting to access the DB, is checks for the database in the $HOME directory! See where I'm going here? The $HOME directory is an environment variable, which is editable by the user.
- So, by launching a terminal with a custom home directory in the $HOME env variable, it is possible to have trivial write access to the database. Hence, this can be used to bypass all TCC restrictions to access all sensitive data!
- This acts primarily as a privilege escalation on MacOS to access sensitive data.
- Overall, this was a classic bug! A relative file path, or a partially controlled file path should not be used! It's important to either have an absolute path or have the file path not be alterable in this type of context.
