So in this post we’re going to look at just how MacOS’s User-Intent system works, expose its attack surface, and disclose a vulnerability (CVE-2020-9968) found while looking at ways to abuse the User-Intent functionality to bypass TCC. That being said, I always like to have one or two esoteric techniques available for when those tougher jobs come up. Now if you read this blog you’ll see that I have previously looked at bypasses for Apple’s privacy controls (also known as TCC) by loading dylib’s into specific Apple applications containing entitlements. Even once we’ve compromised the endpoint and elevated to root, much of the data stored in files is unavailable, and one wrong step can lead to the dreaded: And by now we all understand just how annoying these alerts can be to us attackers.īeing able to operate on an endpoint without giving the game away is of course essential, and unfortunately staying under the radar on MacOS is getting tougher with each release.
This obscure feature is a hidden part of MacOS that underpins Apple’s concept of User-Intent, a shift in focus for MacOS privacy controls in an attempt to stop endless prompts interrupting the user.
If you’ve never heard of MACL on MacOS, you’re not alone. « Back to home We Need To Talk About MACL