|
The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "MobileBackup Copy Exploit"
m (Added to "Exploits" category.) |
m (Put it in the same format as most exploit pages.) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | This is a vulnerability utilized by [[Spirit]]. |
||
| + | |||
| + | ==Credit== |
||
| + | [[User:Comex|comex]] |
||
| + | |||
| + | ==Details== |
||
BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path: |
BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path: |
||
| Line 6: | Line 12: | ||
Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist |
Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist |
||
| + | |||
| + | This was fixed in iOS 3.2.1 and 4.0. |
||
[[Category:Exploits]] |
[[Category:Exploits]] |
||
Latest revision as of 02:04, 23 October 2010
This is a vulnerability utilized by Spirit.
Credit
Details
BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:
Path contains sneaky dots to traverse up outside of the domain: %@
However, for some reason, this check isn't applied when taking alternate code paths for special handling of certain files. For example, a restore to HomeDomain with a path starting with Library/Preferences/SystemConfiguration/ is migrated to the new directory for system configuration, /var/preferences/SystemConfiguration. This bypasses the sneaky dots check, so spirit is able to restore to this path:
Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist
This was fixed in iOS 3.2.1 and 4.0.
