Executive Summary

CVE-2025-70342 is a vulnerability in the erase-install script used on Apple Silicon Macs (versions up to 40.4) that allows local unprivileged attackers to intercept administrator credentials during reinstall or erase operations.

The issue arises because the script writes swiftDialog credential output (username and password) to a hardcoded, predictable, and world-writable file path: /var/tmp/dialog.json. The script does not verify if this path has been tampered with before writing.

An attacker can exploit this by creating a named pipe (FIFO) or a symlink at /var/tmp/dialog.json pointing to a FIFO they control. When the admin enters credentials during the erase-install process, these credentials are written through the symlink or FIFO, allowing the attacker to capture them in real time.

This attack requires only low privileges, no special timing or race conditions, and only the admin entering credentials.

The vulnerability was fixed by replacing the hardcoded path with a randomly generated temporary filename using mktemp, preventing path prediction and symlink attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the disclosure of administrator credentials during reinstall or erase operations on Apple Silicon Macs.

An attacker with local unprivileged access can intercept these credentials by exploiting the predictable file path used by the erase-install script.

Compromise of administrator credentials can lead to unauthorized system access, privilege escalation, and potential full system compromise.

Because the attack requires only low privileges and no complex conditions, it poses a high confidentiality and integrity risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the file /var/tmp/dialog.json exists as a named pipe (FIFO) or a symlink pointing to a FIFO or other suspicious location. An attacker exploits the vulnerability by creating a named pipe or symlink at this predictable path to intercept credentials.

Suggested commands to detect potential exploitation or presence of the vulnerability include:

• Check if /var/tmp/dialog.json is a named pipe or symlink: ls -l /var/tmp/dialog.json
• Verify the file type: file /var/tmp/dialog.json
• Check for suspicious FIFOs in /var/tmp or /tmp: find /var/tmp /tmp -type p
• Monitor for unexpected reads or writes to /var/tmp/dialog.json or related FIFOs.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves upgrading the erase-install script to version 40.5 or later, which contains the fix that replaces the hardcoded credential output path with a securely generated temporary file name using mktemp.

Until the upgrade can be applied, you should ensure that /var/tmp/dialog.json does not exist as a named pipe or symlink and restrict write permissions to /var/tmp to prevent unprivileged users from creating such files.

Additional steps include monitoring and removing any suspicious FIFOs or symlinks at /var/tmp/dialog.json and educating administrators to be aware of this vulnerability when running erase-install with --erase or --reinstall options.

Useful 0 Not Useful 0