App-Auto-Patch Insecure Permissions Race Condition Vulnerability Allowing Arbitrary File Writing

A vulnerability in App-Auto-Patch version 3.4.2 has been identified, where insecure permissions create a race condition that allows local attackers to write arbitrary files. The application creates a working directory with world-writable permissions, enabling unauthorized users to modify or replace files. This vulnerability can be exploited to inject malicious Installomator label fragments, which are then executed as root, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, with the potential for injected files to be executed as root, especially when exploiting the command injection aspect of the vulnerability.

Reproduction

The vulnerability can be reproduced by creating a malicious Installomator package that includes a post-install script. This package is then swapped with a legitimate one during the installation process, taking advantage of the race condition created by the world-writable directory. The proof of concept for this exploitation is available in the GitHub repository 'malvector/CVE-2025-70341'.

Remediation

Users are advised to upgrade to App-Auto-Patch version 3.5.0 or later, where this vulnerability has been fixed.