A sandbox escape vulnerability affecting iPhones and iPads running iOS 16.2 beta 1 or earlier versions. The proof-of-concept (POC) exploits weaknesses in the itunesstored and bookassetd daemons, enabling attackers to modify sensitive files on the device’s Data partition areas typically protected from unauthorized access.
Researcher Kim shared the details in a blog post on October 20, 2025, emphasizing that the findings stem from her reverse engineering efforts and urging readers to verify independently.
The vulnerability hinges on a maliciously crafted “downloads.28.sqlitedb” database, which tricks the itunesstored daemon into downloading and placing a secondary database, “BLDatabaseManager.sqlite,” into a shared system group container.
While itunesstored operates under strict sandbox limits, the subsequent stage leverages bookassetd a daemon handling iBooks downloads with broader permissions.
MobileGestalt Exploit
This allows writes to mobile-owned paths like /private/var/mobile/Library/FairPlay/, /private/var/mobile/Media/, and even system caches such as /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist.
In a demo on an iPhone 12 running iOS 16.0.1, Kim modified the MobileGestalt cache to spoof the device as an iPod touch (model iPod9,1), proving the exploit’s reach.
The process requires preparing the target file in a modified EPUB format, zipped without compressing the mimetype file, and hosting supporting assets like iTunesMetadata.plist on a server.
Attackers must then use tools like 3uTools or afcclient to inject the databases into /var/mobile/Media/Downloads/, followed by targeted reboots to trigger the downloads.
Expected behavior halts writes to unauthorized paths, but the flaw permits modifications unless the destination is root-controlled.
Kim lists numerous writable locations, including caches and media directories, potentially enabling persistence, configuration tampering, or data exfiltration.
The exploit requires physical or tethered access to place the database, but once set up, it could facilitate more sophisticated attacks on jailbroken or compromised devices.
Apple has not yet commented, and Kim notes the issue may be patched imminently. She provides basic files on GitHub for educational use, stressing that the research is for learning only and not for illegal activities.
As iOS evolves with tighter sandboxing, this POC underscores ongoing challenges in daemon isolation. Security teams should monitor for related indicators, like anomalous database entries in download logs.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
