Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

MobileBackup Copy Exploit

From The Apple Wiki

This is a vulnerability utilized by Spirit.




BackupAgent normally restricts files to be restored to a specific set of directories ("domains"). It even has a check to ensure that ".." isn't in the path:

   Path contains sneaky dots to traverse up outside of the domain: %@

However, for some reason, this check isn't applied when taking alternate code paths for special handling of certain files. For example, a restore to HomeDomain with a path starting with Library/Preferences/SystemConfiguration/ is migrated to the new directory for system configuration, /var/preferences/SystemConfiguration. This bypasses the sneaky dots check, so spirit is able to restore to this path:


This was fixed in iOS 3.2.1 and 4.0.