## https://sploitus.com/exploit?id=0D68E5CA-C2A3-5C38-825A-2FC00E38145E
# CVE-2025-70341: Insecure Permissions + Arbitrary Code Execution in App-Auto-Patch
## Summary
App-Auto-Patch v3.4.2 creates its working directory with world-writable permissions (`chmod 777`), enabling a local TOCTOU (time-of-check-time-of-use) race condition. An unprivileged local attacker can exploit this to swap verified packages with malicious ones before installation, achieving arbitrary code execution as root. Additionally, a malicious Installomator label fragment can achieve arbitrary code execution via `eval` of unsanitized input during label parsing.
## Affected Versions
- **Vulnerable:** App-Auto-Patch <= 3.4.2
- **Fixed:** App-Auto-Patch 3.5.0
## CVSS 3.1
**Score: 7.8 (High)**
`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
| Metric | Value |
|--------|-------|
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
## Vulnerability Details
### Issue 1: World-Writable Directory (CWE-732)
**File:** `App-Auto-Patch-via-Dialog.zsh`, line 2525
During installation, `appAutoPatchFolder` is created with `chmod 777`. This allows any local user to write, modify, or delete files in the directory.
### Issue 2: Arbitrary Code Execution via eval (CWE-94)
**File:** `App-Auto-Patch-via-Dialog.zsh`, line 4744
Installomator label fragments are parsed using `eval` without sanitization. Combined with the world-writable directory, an attacker can inject a malicious label fragment that executes arbitrary commands as root.
### Attack Chain
```
1. App-Auto-Patch creates appAutoPatchFolder with chmod 777
2. Installomator downloads PKG to world-writable tmpDir, verifies signature
3. ~140 lines of bash execute between verification and installation (RACE WINDOW)
4. Attacker swaps verified PKG with malicious PKG
5. installer -pkg runs attacker's PKG as root
```
## Proof of Concept
### Prerequisites
- macOS system with App-Auto-Patch <= 3.4.2 (or any Installomator version using `chmod 777` tmpDir)
- Unprivileged local user account
- Xcode command line tools (for `pkgbuild`)
### Usage
**Terminal 1** (as unprivileged user):
```bash
python3 poc.py
```
**Terminal 2** (as root, simulating MDM/admin trigger):
```bash
sudo ./simulate-vulnerable-env.sh
```
The PoC monitors `/var/tmp` for Installomator directories created with `chmod 777`, then races to swap the legitimate PKG with a malicious one containing a postinstall script that executes as root.
See `poc.py` and `simulate-vulnerable-env.sh` for full details.
## Remediation
- **Upgrade** to App-Auto-Patch 3.5.0 or later
- The fix changes directory permissions from `chmod 777` to `chmod 755`, breaking the attack chain
## Timeline
| Date | Event |
|------|-------|
| 2024-12-22 | Vulnerability discovered |
| 2024-12-22 | PoC created |
| 2024-12-22 | PR [#202](https://github.com/App-Auto-Patch/App-Auto-Patch/pull/202) submitted |
| 2024-12-22 | Issue [#203](https://github.com/App-Auto-Patch/App-Auto-Patch/issues/203) filed |
| 2025-12-23 | Fixed in App-Auto-Patch 3.5.0 |
| 2026-02-20 | CVE-2025-70341 assigned |
## Credit
- **cooldadhacking** ([GitHub](https://github.com/cooldadhacking))
## References
- [App-Auto-Patch PR #202](https://github.com/App-Auto-Patch/App-Auto-Patch/pull/202)
- [App-Auto-Patch Issue #203](https://github.com/App-Auto-Patch/App-Auto-Patch/issues/203)
- [App-Auto-Patch-via-Dialog.zsh](https://github.com/App-Auto-Patch/App-Auto-Patch/blob/main/App-Auto-Patch-via-Dialog.zsh)
## Disclaimer
This proof of concept is provided for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.