Where in the World is Carmen Sandiego: Abusing Location Services on macOS

Introduction

Transparency, Consent, and Control (TCC)

Security & Privacy UI

Security & Privacy UI

TCC Prompts

Zoom Application Requesting Camera Access

tccutil

### Reset all permissions for a single TCC-protected service.
### All applications previously granted Microphone access will be
### revoked
$ sudo tccutil reset Microphone### Reset all permissions for a single application identified by
### bundle ID. All permissions previously granted to Safari will be
### revoked
$ sudo tccutil reset com.apple.Safari ### Reset all permissions for all TCC-protected services. All
### applications granted access to any TCC-protected service will be
### revoked
$ sudo tccutil reset All

What’s Happening Under the Hood?

  • /Library/Application Support/com.apple.TCC/TCC.db
  • ~/Library/Application Support/com.apple.TCC/TCC.db

Introducing SwiftParseTCC

SwiftParseTCC Help Output
SwiftParseTCC Text Table Output
  • service — The internal name used for various TCC-protected services
  • client — The application that requested access to a particular service
  • client_type — Whether the application is identified by bundle ID or absolute path
  • auth_value — Whether the application is allowed to access the TCC-protected service

Is Location Services TCC-Protected?

kTCCServiceLiverpool within SwiftParseTCC Output
kTCCServiceLiverpool Description From Keith’s Blogpost

Introducing SwiftLiverpool

SwiftLiverpool Output
Location Services Not Reset
SwiftLiverpool Does Not Appear Within TCC.db

Location Services (locationd)

Gist Comment
slyd0g@Justins-MBP~$ plutil -p /var/db/locationd/clients.plist
/var/db/locationd/clients.plist: file does not exist or is not readable or is not a regular file (Error Domain=NSCocoaErrorDomain Code=257 "The file “clients.plist” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/var/db/locationd/clients.plist, NSUnderlyingError=0x7f8fb4506e90 {Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied"}})
slyd0g@Justins-MBP~$ sudo plutil -p /var/db/locationd/clients.plist
{
"com.apple.locationd.executable-/Users/slyd0g/Projects/SwiftLiverpool/build/Debug/SwiftLiverpool" => {
"Authorized" => 1
"BundleId" => "com.apple.locationd.executable-/Users/slyd0g/Projects/SwiftLiverpool/build/Debug/SwiftLiverpool"
"Executable" => "/Users/slyd0g/Projects/SwiftLiverpool/build/Debug/SwiftLiverpool"
"LocationTimeStopped" => 660004429.982445
"ReceivingLocationInformationTimeStopped" => 660004431.985412
"Registered" => "/Users/slyd0g/Projects/SwiftLiverpool/build/Debug/SwiftLiverpool"
"Requirement" => "cdhash H"c670128640c6e2a8f7c33cda58d91d14c7062f2b""
"Whitelisted" => 0
}
"com.google.Chrome" => {
"Authorized" => 0
"BundleId" => "com.google.Chrome"
"BundlePath" => "/Applications/Google Chrome.app"
"Registered" => ""
"Requirement" => "(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a""
"Whitelisted" => 0
}
"com.microsoft.VSCode" => {
"Authorized" => 1
"BundleId" => "com.microsoft.VSCode"
"BundlePath" => "/Applications/Visual Studio Code.app"
"Registered" => ""
"Requirement" => "identifier "com.microsoft.VSCode" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9"
"Whitelisted" => 0
}
}
sh-3.2# rm /var/db/locationd/clients.plist
override rw-r--r-- _locationd/_locationd for /var/db/locationd/clients.plist? y
rm: /var/db/locationd/clients.plist: Operation not permitted
slyd0g@Justins-MBP~$ rm /var/db/locationd/clients.plist
rm: /var/db/locationd/clients.plist: Permission denied
slyd0g@Justins-MBP~$ sudo rm /var/db/locationd/clients.plist
Password:
slyd0g@Justins-MBP~$ sudo ls /var/db/locationd/
Library
Copying a Malicious Plist File
Resetting Location Services within Security & Privacy UI

Conclusion

References

--

--

I break computers and skateboards and write about the former

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store