0

Description: The application leaks internal file paths.

Severity Description: Understanding internal system structure may lead to further attacks on the system including directory traversing and forceful browsing. Furthermore, the file structure reveals the type of server implemented.

Exploitability: An information leak is the intentional or unintentional disclosure of information that either (1) is regarded as sensitive within the product's own functionality, such as a private message, or (2) provides information about the product or its environment that could be useful in an attack but is normally not available to the attacker, such as the installation path of a product that is remotely accessible. Many information leaks are resultant (e.g. path disclosure in PHP script error), but they can also be primary (e.g. timing discrepancies in crypto). There are many different types of problems that involve information leaks. Their severity can range widely depending on the type of information that is leaked.

Location: Mach-O 64-bit arm64 binary

Attack Vectors Strings saved in file

Exhibits The following screenshot demonstrates the presence of the Full Path Disclosure vulnerability.

enter image description here

Reproduction Steps:

  1. Download the mobile application on your iOS device.
  2. Connect to your device using SSH.
  3. Navigate to the path where the application is installed.
  4. The path for installed applications on iOS devices is: "/var/containers/Bundle/Application/{uuid}" 5. Locate the "ApplicationName" binary within the "App.app" directory.
  5. Use the "strings" application to extract strings from the binary.
  6. The syntax is as follows: "strings ApplicationName | grep -i '/Users/"
  7. The binary exposes multiple paths of the development environment.

How to fix the issue.

Prajnaranjan Das
  • 1,378
  • 1
  • 9
  • 26
  • I would ignore it personally. Is this an archive build? – Paulw11 Sep 14 '21 at 23:29
  • @Paulw11. Thanks for your reply. This is a .bca file created from .xcarchive for veracode testing purpose only – Prajnaranjan Das Sep 15 '21 at 08:03
  • So you created it from a release archive build? There is nothing at all sensitive shown in the file. – Paulw11 Sep 15 '21 at 09:00
  • You can check for use of `assert()` - https://stackoverflow.com/questions/18219016/ios-app-contains-developer-path-information and https://stackoverflow.com/questions/8167893/how-to-avoid-symbols-and-source-paths-in-ios-binary – Paulw11 Sep 15 '21 at 09:04
  • @Paulw11 Thanks for these links…Its helped me a lot regarding the cause of error but I have few doubts Q1: If asserts is causing this, SHOULD asserts be disabled for production applications Q2: Will Removing or commenting out assert and NSAssert should remove these errors ? Q3: Few people answered that if the code cotains __FILE__ macro it may be the reason for this issue? Can you please help me to clear these doubts ? – Prajnaranjan Das Sep 15 '21 at 14:05
  • Well, assert is a pretty brutal error handler. If an assertion fails your app will crash. It is almost always better to try and recover from an error rather than crash. I still disagree with the general concept that this is a huge vulnerability in a mobile app. As the explanation states, file paths might leak information about the execution environment on a web server but all it tells me in this case is information about the build environment. Specifically the username on some Mac of the person that built the app. Big deal. – Paulw11 Sep 15 '21 at 20:40

0 Answers0