Share
## https://sploitus.com/exploit?id=0D68E5CA-C2A3-5C38-825A-2FC00E38145E
# CVE-2025-70341: Insecure Permissions + Arbitrary Code Execution in App-Auto-Patch

## Summary

App-Auto-Patch v3.4.2 creates its working directory with world-writable permissions (`chmod 777`), enabling a local TOCTOU (time-of-check-time-of-use) race condition. An unprivileged local attacker can exploit this to swap verified packages with malicious ones before installation, achieving arbitrary code execution as root. Additionally, a malicious Installomator label fragment can achieve arbitrary code execution via `eval` of unsanitized input during label parsing.

## Affected Versions

- **Vulnerable:** App-Auto-Patch <= 3.4.2
- **Fixed:** App-Auto-Patch 3.5.0

## CVSS 3.1

**Score: 7.8 (High)**

`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

| Metric | Value |
|--------|-------|
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |

## Vulnerability Details

### Issue 1: World-Writable Directory (CWE-732)

**File:** `App-Auto-Patch-via-Dialog.zsh`, line 2525

During installation, `appAutoPatchFolder` is created with `chmod 777`. This allows any local user to write, modify, or delete files in the directory.

### Issue 2: Arbitrary Code Execution via eval (CWE-94)

**File:** `App-Auto-Patch-via-Dialog.zsh`, line 4744

Installomator label fragments are parsed using `eval` without sanitization. Combined with the world-writable directory, an attacker can inject a malicious label fragment that executes arbitrary commands as root.

### Attack Chain

```
1. App-Auto-Patch creates appAutoPatchFolder with chmod 777
2. Installomator downloads PKG to world-writable tmpDir, verifies signature
3. ~140 lines of bash execute between verification and installation (RACE WINDOW)
4. Attacker swaps verified PKG with malicious PKG
5. installer -pkg runs attacker's PKG as root
```

## Proof of Concept

### Prerequisites

- macOS system with App-Auto-Patch <= 3.4.2 (or any Installomator version using `chmod 777` tmpDir)
- Unprivileged local user account
- Xcode command line tools (for `pkgbuild`)

### Usage

**Terminal 1** (as unprivileged user):
```bash
python3 poc.py
```

**Terminal 2** (as root, simulating MDM/admin trigger):
```bash
sudo ./simulate-vulnerable-env.sh
```

The PoC monitors `/var/tmp` for Installomator directories created with `chmod 777`, then races to swap the legitimate PKG with a malicious one containing a postinstall script that executes as root.

See `poc.py` and `simulate-vulnerable-env.sh` for full details.

## Remediation

- **Upgrade** to App-Auto-Patch 3.5.0 or later
- The fix changes directory permissions from `chmod 777` to `chmod 755`, breaking the attack chain

## Timeline

| Date | Event |
|------|-------|
| 2024-12-22 | Vulnerability discovered |
| 2024-12-22 | PoC created |
| 2024-12-22 | PR [#202](https://github.com/App-Auto-Patch/App-Auto-Patch/pull/202) submitted |
| 2024-12-22 | Issue [#203](https://github.com/App-Auto-Patch/App-Auto-Patch/issues/203) filed |
| 2025-12-23 | Fixed in App-Auto-Patch 3.5.0 |
| 2026-02-20 | CVE-2025-70341 assigned |

## Credit

- **cooldadhacking** ([GitHub](https://github.com/cooldadhacking))

## References

- [App-Auto-Patch PR #202](https://github.com/App-Auto-Patch/App-Auto-Patch/pull/202)
- [App-Auto-Patch Issue #203](https://github.com/App-Auto-Patch/App-Auto-Patch/issues/203)
- [App-Auto-Patch-via-Dialog.zsh](https://github.com/App-Auto-Patch/App-Auto-Patch/blob/main/App-Auto-Patch-via-Dialog.zsh)

## Disclaimer

This proof of concept is provided for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.