Recently, an alarming vulnerability has cropped up on iOS devices. This security loophole allows an attacker to overwrite arbitrary files on a targeted device and, when used in combination with other procedures, install a signed app that devices will trust without presenting a warning notification to users.
In a recent article published on Threatpost, it’s noted that the vulnerability is located in a library that lies within both iOS and OS X. In this case, the library in question is AirDrop, the tool featured on Apple devices that allows users to directly send files to fellow Apple device quickly and effortlessly. The problem lies within the fact that Airdrop doesn’t use a sandboxing mechanism in the same way that many other iOS applications do. When making use of a sandbox, every application has its own container for files that it can’t get beyond the so-called “walls“ of.
AirDrop gives users to the choice to accept file transfers either from only their own contacts or anyone who sends them a request to send files. In the case that a user can receive files from anyone, it’s quite easy for an attacker to exploit their device on their locked iOS device. What’s more, the attacker can even make the attack without the user agreeing to accept a file transferred using AirDrop.
Directory traversal attacks make the exploitation of this vulnerability possible
Mark Dowd, the security researcher who discovered the vulnerability, has been able to repeatedly and reliably exploit the security flaw. The vulnerability allows the attacker to execute a directory traversal attack, in which the attacker attempts to access files that are not intended to be accessed. Thus, the attackers are capable of writing files to any location they choose on the file system.
Since sandboxing rules weren’t being strictly enforced on AirDrop, Dowd was able to read/write hidden system resources in combination with his own directory traversal attack. In doing so, he was able to upload his own application into the system and make it appear as trusted.
This bug has been reported to Apple, but a full patch has not yet been released for the recently-launched iOS 9. Therefore, if you’re the owner of one or more Apple devices, make sure that your AirDrop sharing options are set to private and that you’re only able to receive files from your contact list.