Difference between revisions of "Symbolic Link Vulnerability"

From The iPhone Wiki
Jump to: navigation, search
(initial page)
 
m (new link here too)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.
 
By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.
  +
  +
This vulnerability has been [https://twitter.com/iH8sn0w/status/412338808903192576 fixed] in iOS 7.1b2.
   
 
== Usage in [[evasi0n]] jailbreak ==
 
== Usage in [[evasi0n]] jailbreak ==
Line 7: Line 9:
 
* symlink: <code>Media/Recordings/.haxx</code> pointing to <code>/var/mobile</code>
 
* symlink: <code>Media/Recordings/.haxx</code> pointing to <code>/var/mobile</code>
 
* directory: <code>Media/Recordings/.haxx/DemoApp.app/</code>
 
* directory: <code>Media/Recordings/.haxx/DemoApp.app/</code>
* several files in <code>Media/Recordings/.haxx/DemoApp.app/</code>: <code>Info.plist</code>, <code>DemoApp</code>, <code>Icon.png</code>, <code>Icon@2x.png</code>, <code>Icon-72.png</code>, <code>Icon-72@2x.png</code>
+
* several files in <code>Media/Recordings/.haxx/DemoApp.app/</code>, <code>Info.plist</code>, <code>DemoApp</code>, <code>Icon.png</code>, <code>Icon@2x.png</code>, <code>Icon-72.png</code>, <code>Icon-72@2x.png</code>
* file: <code>Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist</code>
+
* file: <code>Media/Recordings/.haxx/Library/Caches/[[com.apple.mobile.installation.plist]]</code>
   
 
This results in the following directory and file structure:
 
This results in the following directory and file structure:
Line 21: Line 23:
 
/var/mobile/DemoApp.app/Icon-72@2x.png
 
/var/mobile/DemoApp.app/Icon-72@2x.png
 
 
/var/mobile/Library/Caches/com.apple.mobile.installation.plist
+
/var/mobile/Library/Caches/[[com.apple.mobile.installation.plist]]
  +
  +
== See Also ==
  +
* [[Timezone Vulnerability]] regarding CVE-2013-0979
   
 
== References ==
 
== References ==
* [http://blog.accuvantlabs.com/blog/bthomas/evasi0n-jailbreaks-userland-component Accuvant Labs analysis of evasi0n]
+
* [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ Accuvant Labs analysis of evasi0n]
   
 
[[Category:Exploits]]
 
[[Category:Exploits]]

Latest revision as of 22:32, 30 December 2013

By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.

This vulnerability has been fixed in iOS 7.1b2.

Usage in evasi0n jailbreak

In the case of evasi0n, the following files, directories and symlinks are restored, all in the Media Domain:

  • directory: Media/
  • directory: Media/Recordings/
  • symlink: Media/Recordings/.haxx pointing to /var/mobile
  • directory: Media/Recordings/.haxx/DemoApp.app/
  • several files in Media/Recordings/.haxx/DemoApp.app/, Info.plist, DemoApp, Icon.png, Icon@2x.png, Icon-72.png, Icon-72@2x.png
  • file: Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist

This results in the following directory and file structure:

/var/mobile/Media/Recordings/ (folder)
/var/mobile/Media/Recordings/.haxx (symlink)

/var/mobile/DemoApp.app/Info.plist
/var/mobile/DemoApp.app/DemoApp
/var/mobile/DemoApp.app/Icon.png
/var/mobile/DemoApp.app/Icon@2x.png
/var/mobile/DemoApp.app/Icon-72.png
/var/mobile/DemoApp.app/Icon-72@2x.png

/var/mobile/Library/Caches/com.apple.mobile.installation.plist

See Also

References