Symbolic Link Vulnerability

From The Apple Wiki

By restoring files, directories and symlinks to the iOS device, the path is carefully checked, so that no write accesses outside of certain domains are possible. By creating a symlink that points to somewhere else, it is possible to overcome this limitation.

This vulnerability has been fixed in iOS 7.1b2.

Usage in evasi0n jailbreak[edit]

In the case of evasi0n, the following files, directories and symlinks are restored, all in the Media Domain:

  • directory: Media/
  • directory: Media/Recordings/
  • symlink: Media/Recordings/.haxx pointing to /var/mobile
  • directory: Media/Recordings/.haxx/DemoApp.app/
  • several files in Media/Recordings/.haxx/DemoApp.app/, Info.plist, DemoApp, Icon.png, Icon@2x.png, Icon-72.png, Icon-72@2x.png
  • file: Media/Recordings/.haxx/Library/Caches/com.apple.mobile.installation.plist

This results in the following directory and file structure: 

/var/mobile/Media/Recordings/ (folder)
/var/mobile/Media/Recordings/.haxx (symlink)

/var/mobile/DemoApp.app/Info.plist
/var/mobile/DemoApp.app/DemoApp
/var/mobile/DemoApp.app/Icon.png
/var/mobile/DemoApp.app/Icon@2x.png
/var/mobile/DemoApp.app/Icon-72.png
/var/mobile/DemoApp.app/Icon-72@2x.png

/var/mobile/Library/Caches/com.apple.mobile.installation.plist

See Also[edit]

References[edit]

Common Vulnerabilities and Exposures, a central database of security vulnerabilities reported in software

Retrieved from "https://theapplewiki.com/index.php?title=Symbolic_Link_Vulnerability&oldid=174416"