Listen to this Post
The `fileID` field from `Manifest.db` (a SQLite database inside iOS backups) is used directly in filesystem path construction without validation. This affects two MVT commands through a shared code path. In `mvt-ios decrypt-backup` (via decrypt.py), `file_id` is used to construct both the source read path and the destination write path. An attacker can inject directory traversal sequences (e.g., ../) into the fileID. Because the value is not sanitised, the decrypted content is written to an arbitrary location on the analyst’s filesystem. In `mvt-ios check-backup` (via `_get_backup_file_from_id()` in ios/modules/base.py), the same unvalidated `fileID` resolves to files outside the backup directory. Those files are then opened and parsed, and the parsed contents flow into JSON results and CSV timeline outputs. The root cause is a lack of input validation when using `fileID` to build paths. The vulnerable code uses the raw `fileID` with `os.path.join` or direct concatenation, allowing the traversal sequences to escape the intended backup directory. No whitelist or sanitisation is applied before the path is passed to filesystem functions. An attacker can craft a malicious iOS backup where the `fileID` column in `Manifest.db` contains payloads like `../../../../home/user/.bashrc` or ../../../etc/passwd. When the analyst runs mvt-ios decrypt-backup, the decrypted content is written to the attacker‑controlled path. When running mvt-ios check-backup, the traversal causes the tool to read arbitrary host files and include their contents in the forensic report.
DailyCVE form (3 words max per line):
Platform: iOS Backup
Version: <=2026.4.28
Vulnerability : Path Traversal
Severity: Moderate
date: 2026.05.12
Prediction: Patch by 2026.05.12
Analytics under What Undercode Say:
Identify vulnerable MVT version pip show mvt | grep Version Extract fileID entries from Manifest.db sqlite3 Manifest.db "SELECT fileID FROM Files;" > file_ids.txt Simulate traversal payload echo "../../../../home/user/.bashrc" > malicious_fileID.txt
Exploit:
Attacker creates a custom iOS backup where a row in `Manifest.db` contains fileID = "../../../../home/analyst/.ssh/authorized_keys".
The backup is handed to the analyst (e.g., as a suspected compromise case).
Analyst runs `mvt-ios decrypt-backup` on the backup.
MVT writes the decrypted content (attacker‑controlled) to ~/.ssh/authorized_keys, granting the attacker SSH access.
Alternatively, `fileID = “../../../.bashrc”` injects malicious commands into the analyst’s shell profile, leading to code execution on the next shell start.
Protection from this CVE
Upgrade to MVT version 2026.5.12 or later.
If upgrade is not possible, manually sanitise `fileID` by rejecting any value containing ../, ..\\, or absolute path components.
Use a whitelist of allowed characters (e.g., only alphanumeric plus hyphen) for fileID.
Run MVT inside a dedicated, low‑privilege container or virtual machine to limit the impact of arbitrary file writes and reads.
Impact
File write (decrypt-backup): Attacker‑controlled content can be written to arbitrary paths writable by the analyst process. This can lead to code execution via shell profile modification or SSH key injection.
File read (check-backup): Sensitive files outside the backup directory (e.g., /etc/passwd, SSH keys, cloud credentials) can be read and incorporated into the analyst’s JSON/CSV reports, causing information disclosure.
Overall impact is Moderate because exploitation requires a specially crafted malicious bundle to be parsed by the analyst, and trust mitigations reduce the likelihood in typical workflows.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

