By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.
This vulnerability has been fixed in iOS 7.1b2.
Usage in evasi0n jailbreak[edit]
In the case of evasi0n, the following files, directories and symlinks are restored, all in the Media Domain:
- directory:
Media/
- directory:
Media/Recordings/
- symlink:
Media/Recordings/.haxx
pointing to/var/mobile
- directory:
Media/Recordings/.haxx/DemoApp.app/
- several files in
Media/Recordings/.haxx/DemoApp.app/
,Info.plist
,DemoApp
,Icon.png
,Icon@2x.png
,Icon-72.png
,Icon-72@2x.png
- file:
Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist
This results in the following directory and file structure:
/var/mobile/Media/Recordings/ (folder) /var/mobile/Media/Recordings/.haxx (symlink) /var/mobile/DemoApp.app/Info.plist /var/mobile/DemoApp.app/DemoApp /var/mobile/DemoApp.app/Icon.png /var/mobile/DemoApp.app/Icon@2x.png /var/mobile/DemoApp.app/Icon-72.png /var/mobile/DemoApp.app/Icon-72@2x.png /var/mobile/Library/Caches/com.apple.mobile.installation.plist
See Also[edit]
- Timezone Vulnerability regarding CVE-2013-0979
References[edit]
- Accuvant Labs analysis of evasi0n [Archived 2013-12-27 at the Wayback Machine]