Apple iOS up to 9.0 Bom Archive path traversal

Summaryinfo

A vulnerability has been found in Apple iOS up to 9.0 and classified as critical. This impacts an unknown function of the component Bom. The manipulation as part of Archive leads to path traversal. This vulnerability is referenced as CVE-2015-7006. No exploit is available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Apple iOS up to 9.0 (Smartphone Operating System). This issue affects an unknown part of the component Bom. The manipulation as part of a Archive leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, and integrity. The summary by CVE is:

Directory traversal vulnerability in the BOM (aka Bill of Materials) component in Apple iOS before 9.1, OS X before 10.11.1, and watchOS before 2.0.1 allows remote attackers to execute arbitrary code via a crafted CPIO archive.

The weakness was published 10/21/2015 by Mark Dowd with Azimuth Security as HT205370 as confirmed advisory (Website). The advisory is shared at support.apple.com. The identification of this vulnerability is CVE-2015-7006 since 09/16/2015. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/23/2022). It is expected to see the exploit prices for this product increasing in the near future.MITRE ATT&CK project uses the attack technique T1006 for this issue. The advisory points out:

A file traversal vulnerability existed in the handling of CPIO archives. This issue was addressed through improved validation of metadata.

The vulnerability scanner Nessus provides a plugin with the ID 86654 (Mac OS X < 10.11.1 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family MacOS X Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 124172 (Apple Mac OS X v10.11.1 Not Installed (APPLE-SA-2015-10-21-4)).

Upgrading to version 9.1 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (86654). Similar entries are available at VDB-68857, VDB-74877, VDB-74936 and VDB-77709. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Smartphone Operating System

Vendor

• Apple

Name

• iOS

Version

• 9.0

License

• commercial

Website

• Vendor: https://www.apple.com/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion