itunesstored & bookassetd sandbox escape via malicious downl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://hanakim3945.github.io/posts/download28_sbx_escape/
• Blog Title: itunesstored & bookassetd sandbox escape via malicious downloads.28 and BLDatabaseManager
• Suggested Section: Mobile Pentesting -> iOS Pentesting (new page like "iOS Sandbox Escape via itunesstored & bookassetd arbitrary file write" or a subsection under iOS Pentesting focusing on abusing system daemons & SQLite metadata for sandbox escape)

🎯 Content Summary

This post documents a practical sandbox-escape-style arbitrary file-write primitive on iOS by abusing two Apple daemons, itunesstored and bookassetd, via their SQLite metadata and EPUB processing logic. By crafting a malicious downloads.28.sqlitedb (Stage 1) and a malicious BLDatabaseManager.sqlite plus an attacker-controlled EPUB (Stage 2), an attacker can cause system services to write arbitrary attacker-controlled files into a wide range ...

🔧 Technical Details

Trick 1 – Using downloads.28.sqlitedb to make itunesstored plant an arbitrary SQLite file
Abuse the iOS downloads.28.sqlitedb database (processed by itunesstored) by inserting a crafted row into the asset table that sets url to an attacker‑controlled HTTP endpoint and local_path to any path that itunesstored is allowed to write, such as /private/var/containers/Shared/SystemGroup/<UUID>/Documents/BLDatabaseManager/BLDatabaseManager.sqlite. On boot, itunesstored will fetch the remote file and overwrite the target path with attacker‑provided content. The device‑specific <UUID> is discovered from syslog by using pymobiledevice3 syslog collect logs.logarchive and searching in Console.app for lines where bookassetd logs the BLDatabase store path. This trick generalizes to any component wher...

🤖 Agent Actions

Summary:

• Added a dedicated itunesstored-bookassetd-sandbox-escape.md page under iOS Pentesting describing how to weaponize downloads.28.sqlitedb, BLDatabaseManager.sqlite, and a crafted EPUB to coerce itunesstored/bookassetd into arbitrary file writes across mobile-owned SystemGroup paths. The page covers prerequisites, SQL payload templates (wrapped in expandable blocks), UUID discovery with pymobiledevice3, EPUB construction, orchestration steps, tooling tips, and detection/mitigation ideas, plus references to the blog and PoC repo.
• Linked the new content from the “Interesting Vulnerabilities & Case Studies” section of ios-pentesting/README.md so readers can easily find the sandbox escape technique.

Tests: Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 912
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://hanakim3945.github.io/posts/download28_sbx_escape/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> iOS Pentesting (new page like "iOS Sandbox Escape via itunesstored & bookassetd arbitrary file write" or a subsection under iOS Pentesting focusing on abusing system daemons & SQLite metadata for sandbox escape)".

Repository Maintenance:

• MD Files Formatting: 912 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge