Extract Archive Arbitrary Write bug

Works on iOS 13, 14, and (at the time of writing) 15. Well, somewhat iOS 15. Found by me, Zachary Keffaber (zachary7829)

iOS 15 / macOS Monterey Mitigation

The bug is still technically there in iOS 15, but much more limited. Thanks to iOS 15 changes: Built-in shortcut actions may have different privileges than the shortcuts app itself now, so even though Shortcuts has write access to directories like /var/mobile/Library/WebClips, the actions do not and can only write to iCloudisworkflowmyworkflows (tmk). Creating a symlink to a directory shortcuts has access to from iCloudisworkflowmyworkflows does not work either. With this restriction in mind, there is still one bad thing you can do with this: write to iCloudisworkflowmyworkflows without needing the Save File permission. However you can only do inital write, not overwrite, and even then it's limited to only initial write folders.

The bug

Extract archive allows you to do dot notation in the name of the archive. You can create a zip, use set name to ../../../../../../../../../../private/var/mobile/Library/WebClips/testingzip.zip, use extract archive and create a folder named "testingzip" to the WebClips directory. This will be auto-deleted upon shortcut ending execution, however if the shortcut doesn't end execution normally (ex crash bug or user closes app before shortcut finishes) it will stay. The Make GIF from Video action has a similar bug, but unlike Extract Archive deletes the files upon finishing the GIF. While you can't use this to overwrite or write files themselves rather than folders that contain files, since .webclip is basically just a folder anyway it works. Example: https://www.icloud.com/shortcuts/6df21b1b953747cda16752f838377bd9

Special Thanks

Special thanks to the Shortcuts Hacking discord.

Extract Archive Arbitrary Write bug #archive #capture