Email or username:

Password:

Forgot your password?
cR0w's posts Post Back to profile
Top-level
toast i guess

@cR0w the iOS jailbreak community is getting real familiar with this right now.
TrollRestore, MisakaX, PureKFD, and Nugget all use it to modify system files. Fun how ../ can be used, right?
Edit: Forgot to mention that this exploit applies all the way from 14.0 to past the latest public stable- only being patched in 18.1 beta 5.
github.com/Lrdsnow/PureKFD
github.com/leminlimez/Nugget
github.com/straight-tamago/mis

And some fun articles:
idownloadblog.com/2024/09/05/e
type.cyhsu.xyz/2024/09/ios-fea

2 October at 23:25 | Wall-to-wall | Open on mstdn.party
4 comments
cR0w
toast i guess

@cR0w haha, yep!
Quoting from the type.cyhsu.xyz link,
“Somehow, the sanity of the file paths within the SysContainerDomain was not checked, allowing the inclusion of the infamously unsafe string ../ […]. Because SysContainerDomain files are unpacked under
/var/.backup.i/var/mobile/Library/Backup/System Containers/Data/
during restoration, the path
SysContainerDomain-../../../../../../../..
resolves to / [. This] allows access to system files.”
Shortened b/c text limit

2 October at 23:33 | Open on mstdn.party
toast i guess

@cR0w While it allows you to do all sorts of things, SparseRestore is usually used to modify the MobileGetsalt file. This allows for enabling/disabling regional or model-specific things, like EU side loading, enforced shutter sound, Siri’s new AI, and for some reason the iOS 18 Photos UI? I believe, while not being exploited, MobileGetsalt also determines the ability to install non-WebKit browsers, NFC contactless payments, AI in Xcode, and more.

theapplewiki.com/wiki/Eligibil

2 October at 23:38 | Open on mstdn.party
cR0w

@toast_i_guess That's amazing. It really is the year of ../

2 October at 23:44 | Open on infosec.exchange
Go Up