A sandbox escape vulnerability affecting iPhones and iPads operating iOS 16.2 beta 1 or earlier variations. The proof-of-concept (POC) exploits weaknesses within the itunesstored and bookassetd daemons, enabling attackers to switch delicate recordsdata on the machine’s Knowledge partition areas usually shielded from unauthorized entry.
Researcher Kim shared the small print in a weblog submit on October 20, 2025, emphasizing that the findings stem from her reverse engineering efforts and urging readers to confirm independently.
The vulnerability hinges on a maliciously crafted “downloads.28.sqlitedb” database, which tips the itunesstored daemon into downloading and putting a secondary database, “BLDatabaseManager.sqlite,” right into a shared system group container.
Whereas itunesstored operates underneath strict sandbox limits, the next stage leverages bookassetd a daemon dealing with iBooks downloads with broader permissions.
MobileGestalt Exploit
This permits writes to mobile-owned paths like /non-public/var/cell/Library/FairPlay/, /non-public/var/cell/Media/, and even system caches resembling /non-public/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist.
In a demo on an iPhone 12 operating iOS 16.0.1, Kim modified the MobileGestalt cache to spoof the machine as an iPod contact (mannequin iPod9,1), proving the exploit’s attain.
The method requires making ready the goal file in a modified EPUB format, zipped with out compressing the mimetype file, and internet hosting supporting property like iTunesMetadata.plist on a server.
Attackers should then use instruments like 3uTools or afcclient to inject the databases into /var/cell/Media/Downloads/, adopted by focused reboots to set off the downloads.
Anticipated conduct halts writes to unauthorized paths, however the flaw permits modifications except the vacation spot is root-controlled.
Kim lists quite a few writable areas, together with caches and media directories, probably enabling persistence, configuration tampering, or information exfiltration.
The exploit requires bodily or tethered entry to put the database, however as soon as arrange, it might facilitate extra subtle assaults on jailbroken or compromised gadgets.
Apple has not but commented, and Kim notes the difficulty could also be patched imminently. She gives primary recordsdata on GitHub for academic use, stressing that the analysis is for studying solely and never for unlawful actions.
As iOS evolves with tighter sandboxing, this POC underscores ongoing challenges in daemon isolation. Safety groups ought to monitor for associated indicators, like anomalous database entries in obtain logs.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
