Difference between revisions of "MobileBackup Copy Exploit"

From The iPhone Wiki
Jump to: navigation, search
(New page: BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path: Path contains sneaky dots...)
 
m (Put it in the same format as most exploit pages.)
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
  +
This is a vulnerability utilized by [[Spirit]].
  +
  +
==Credit==
  +
[[User:Comex|comex]]
  +
  +
==Details==
 
BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:
 
BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:
   
Line 6: Line 12:
   
 
Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist
 
Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist
  +
  +
This was fixed in iOS 3.2.1 and 4.0.
  +
  +
[[Category:Exploits]]

Latest revision as of 02:04, 23 October 2010

This is a vulnerability utilized by Spirit.

Credit

comex

Details

BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:

   Path contains sneaky dots to traverse up outside of the domain: %@

However, for some reason, this check isn't applied when taking alternate code paths for special handling of certain files. For example, a restore to HomeDomain with a path starting with Library/Preferences/SystemConfiguration/ is migrated to the new directory for system configuration, /var/preferences/SystemConfiguration. This bypasses the sneaky dots check, so spirit is able to restore to this path:

   Library/Preferences/SystemConfiguration/../../../../../var/db/launchd.db/com.apple.launchd/overrides.plist

This was fixed in iOS 3.2.1 and 4.0.