Functionalities of these helpers are similar. Let’s take a closer look at timemachine.helper. The interface is extremely simple:

➜ ~ r2 /System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/osx-timemachine.appex/Contents/XPCServices/timemachinehelper

— You crackme up!

[0x100001830]> aaa

[x] Analyze all flags starting with sym. and entry0 (aa)

[x] Analyze function calls (aac)

[x] Analyze len bytes of instructions for references (aar)

[x] Constructing a function name for fcn.* and sym.func.* functions (aan)

[x] Type matching analysis for all functions (afta)

[x] Use -AA or aaaa to perform additional experimental analysis.

[0x100001830]> icc

@interface HelperDelegate :

{

}

- (char) listener:shouldAcceptNewConnection:

- (void) runDiagnosticWithDestinationDir:replyURL:

@end

It simply takes a NSURL as a destination directory to run comand /usr/bin/tmdiagnose -r -w -f as root, then copies the file that matches a regular expression to the destination parameter.

While it doesn’t perform any check on the destination, you can put random garbage (the diagnostic logs) to any existing directory without rootless protection. The other helpers have the similar problem. Apple patched this flaw as CVE-2019-8530 :

It used to be exploitable combined with a sudo design flaw.

Sudo supports a feature where the user does not need to enter the password again for a few minutes after typing the password (and being successfully authenticated). The check was based on the modified time of the /var/db/sudo/{USER_NAME} directory. By setting the SubmitToLocalFolder value to be /var/db/sudo/{USER_NAME} and triggering the vulnerability, it is possible to execute sudo to gain root privileges.

This bug can modify the timestamp of the directory by writing into it. Since sudo has been patched long ago, it’s now pointless.