CVE-2015-1062

Vulnerability

MobileStorageMounter in Apple iOS prior to 8.2 and Apple TV prior to 7.1 does not properly clean up invalid disk-image folders. When a crafted app attempts to mount an invalid disk image, the corresponding folder remains on the filesystem. This allows the app to create folders at arbitrary filesystem locations by specifying crafted disk-image names. Affected versions: iOS versions before 8.2 and Apple TV versions before 7.1 [1][2].

Exploitation

An attacker must have the ability to install and run a crafted app on the device. No additional network position or authentication beyond standard app installation is required. The app exploits the folder persistence by mounting a specially crafted invalid disk image, causing MobileStorageMounter to leave the corresponding folder in place. The attacker can then control the folder name to target arbitrary paths on the filesystem.

Impact

Successful exploitation allows an attacker to create folders at arbitrary locations on the device's filesystem. This could enable further attacks, such as placing a malicious file in a startup location or confusing security mechanisms. The extent of compromise is limited to folder creation; however, combined with other vulnerabilities, it could lead to privilege escalation or data corruption.

Mitigation

Apple addressed the issue in iOS 8.2 and Apple TV 7.1, released on March 9, 2015 [1][2]. Users should update their devices to these versions or later. No workarounds are available for unpatched systems, and there is no indication of inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.