Symbolic Link Vulnerability

From The iPhone Wiki
Revision as of 01:42, 16 December 2013 by Http (talk | contribs) (mention that it's patched)
Jump to: navigation, search

By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.

This vulnerability has been fixed in iOS 7.1b2[1].

Usage in evasi0n jailbreak

In the case of evasi0n, the following files, directories and symlinks are restored, all in the Media Domain:

  • directory: Media/
  • directory: Media/Recordings/
  • symlink: Media/Recordings/.haxx pointing to /var/mobile
  • directory: Media/Recordings/.haxx/DemoApp.app/
  • several files in Media/Recordings/.haxx/DemoApp.app/, Info.plist, DemoApp, Icon.png, Icon@2x.png, Icon-72.png, Icon-72@2x.png
  • file: Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist

This results in the following directory and file structure:

/var/mobile/Media/Recordings/ (folder)
/var/mobile/Media/Recordings/.haxx (symlink)

/var/mobile/DemoApp.app/Info.plist
/var/mobile/DemoApp.app/DemoApp
/var/mobile/DemoApp.app/Icon.png
/var/mobile/DemoApp.app/Icon@2x.png
/var/mobile/DemoApp.app/Icon-72.png
/var/mobile/DemoApp.app/Icon-72@2x.png

/var/mobile/Library/Caches/com.apple.mobile.installation.plist

See Also

References