Way back in macOS Mojave 10.14, several of us noticed strange behaviour in its Remote Login service (
ssh) which appeared to bypass privacy controls. I reported on this in detail here on 12 November 2018, fully expecting it to change in the future.
Most of us then forgot about it, until Mikey @0xmachos was studying the recent report by Trend Micro on XCSSET malware. There, in the analysis of a “Data Vault vulnerability used in Safari cookie theft”, described as “a zero-day vulnerability exploitation that is at large”, this long-known vulnerability is now being exploited by malware.
It’s easy to reproduce this on your own Mac, without needing a second system to connect to it.
First, open the Sharing pane, and ensure that Remote Login is enabled.
Then open the Privacy tab of the Security & Privacy pane, and select the Full Disk Access list at the left. Scroll through that list and ensure that neither
sshd-keygen-wrapper are included in that list. If they are, click on the padlock and authenticate, select each and remove them using the – tool. Leave that list open so you can watch what happens there.
Now open Terminal. Type in the command
where username is the short user name of your admin account. If this is the first time that you’ve used
ssh you’ll be invited to confirm the fingerprint generated before adding localhost to the list of known hosts. Type yes as instructed, to allow the
ssh connection to be established. Shortly after that, you’ll notice that a new item has been added to your Full Disk Access list for
sshd, the service which supports your
ssh connection. This doesn’t actually give you full disk access yet – that comes shortly.
To confirm that your
ssh connection is working correctly (to the same host, in this instance), type a simple command such as
and you should see the directory listing.
Now try listing one of the protected directories, for example using
Not only will you get a full listing without having been prompted to add anything to the Full Disk Access list, but another item will automatically be added to that list, named
It’s the last of those,
sshd-keygen-wrapper, which is critical. If you now untick that item in the Privacy tab, trying to list that protected directory will return an error, reporting that the operation is not permitted. But if you instead remove the
sshd-keygen-wrapper item altogether, it will be added back, enabled, and the protected folder will be listed in full. This is explained in detail with relevant log excerpts in my previous article.
To gain full access to any privacy-protected directory, all an attacker has to do is establish an
ssh connection. Provided Remote Login is enabled, and
sshd-keygen-wrapper isn’t both present and disabled (unticked) in the Full Disk Access list, macOS will automatically bypass its own privacy protection without any further control.
There are two measures you can apply to make this harder for an attacker: disable Remote Login and ensure that
sshd-keygen-wrapper has been added to your Mac’s Full Disk Access list but is unticked there.
Until, that is, Apple does something to fix this vulnerability which is now coming up to two years old. And apparently being actively exploited in the wild.
When macOS Mojave 10.14 was first released, there were (at least) three vulnerabilities noted in TCC, its new privacy system. Two were not initially disclosed in public, the third was reported by Phil Stokes in the SentinelOne blog on 25 September 2018. To the best of my knowledge, that is the first report of this problem with
ssh and Full Disk Access, so its discovery should be attributed to Phil Stokes, not me.
Several looked at the
ssh issue, and I added it to my first list of bugs in 10.14. At that time, TCC was new and its log transactions little understood. In any case, many of us thought that Apple would address this in 10.14.1, but it didn’t, to my surprise, and the
ssh issue was carried over to my next list of known bugs for 10.14.1. I then turned my attentions to the log records and reached the deeper understanding which I wrote up in this article.
By that stage, Phil Stokes had already reported the issue to Apple, who eventually replied that they were still looking at it. However, nothing changed and we all moved on, until Trend Micro’s detailed analysis of XCSSET malware, which exploits this vulnerability. At this time, it was assumed that this was newly discovered but it turns out to be the same as first reported by Phil Stokes nearly two years ago, and detailed in my article about six weeks later.