
Psychic Paper: iOS Sandbox Escape - mp3il
https://siguza.github.io/psychicpaper/
======
Negitivefrags
This reminds me a lot of one of the original ways to run unsigned code on the
Sony PSP.

If you made two directories:

    
    
        SomeApp
        SomeApp%
    

And then launch the folder with the % sign then the code that checks for valid
signatures will check in the directory without the %, but the code that
actually launches the binary will still run the code in the directory with the
%.

So all you need to do is get any binary with a valid sig and put it in the
SomeApp folder while putting the code you actually want to run in SomeApp%.

~~~
ancarda
Why did this happen? Was "%" significant in some way? i.e. maybe it was
passing the path to sprintf?

~~~
Negitivefrags
Yep, that’s exactly it. And of course a lesson on why you need to understand
the progeny of any string you pass as a format argument.

------
saurik
A while back I filed a bug on libplist with some examples of the hilarious
this-is-not-XML issues in Apple's userland plist parser, which people might
find fun here as it is highly related to this issue.

[https://github.com/libimobiledevice/libplist/issues/83](https://github.com/libimobiledevice/libplist/issues/83)

~~~
httgp
Jay, I just wanted to say thanks to all the groundbreaking work you’ve done in
the jailbreaking scene. Ages ago I had an iPad Touch and I had so much fun
jailbreaking it and playing around with Cydia tweaks.

------
tomphoolery
> I just hate GUIs for development, especially when you Google how to do
> something, and the answer is a series of 17 “click here and there”s that are
> no longer valid because all the GUI stuff moved somewhere else in the last
> update.

It's not just developer tools that suffer from this problem. I opened iMovie
recently after not playing with it for almost 10 years, and was so
flabbergasted at how everything worked. Took me almost 2 weeks to sync my own
song to a series of cut video clips (cut out of larger videos, which was the
main problem). Maybe I'm just an idiot, but googling around for solutions
ended up with either out-of-date answers or completely unrelated problems.

I just wish that the app would use even one or two conventions from the 40-50
years of GUI research that has been done...

~~~
TwoBit
I'm convinced that the reason for the constant game of GUI musical chairs - of
which Microsoft is the most guilty - is due to developers attempting to
justify their employment.

~~~
Legogris
My experience has been the opposite - developers being resistant to frontend
changes, which tend to get pushed through by UI/UX people (which is their
job), or in more broken organizations, opinionated managers or executives.

------
jschwartzi
Maybe we should take this as a lesson that we should use the simplest
marshalling format that adequately captures our use cases rather than using a
swiss-army knife format like XML.

~~~
kitotik
I’m not sure that there were much better choices available at the time. IIRC
property lists date back to NextStep.

By the time stuff like JSON started popping up, plists were pervasive all
throughout OS X. Typical legacy problem!

~~~
valleyer
Property lists in NeXTSTEP didn't use XML but rather a different text-based
format.

[https://developer.apple.com/library/archive/documentation/Co...](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/PropertyLists/OldStylePlists/OldStylePLists.html)

------
kitotik
Once binary plists were introduced, it was only a matter of time before it
became the macOS equivalent of windows registry.

The fact that Apple is maintaining multiple parsers, and apparently added yet
another in response to this bug, just smells bad.

~~~
ken
I thought the Windows Registry was reviled because it was a single database
that held everything from user customization to device driver and boot
configuration, in one file. It was contrasted with the Unix/Linux way, which
was single-purpose text files, with the system-wide configuration in protected
/etc files, and user-specific configuration in ~/. files

Plists are the best of both worlds. They're a file format rather than a system
database, so user-specific config goes in ~/Library/, application-specific
config goes in the *.app/ bundles, and system-wide config is in /System or
/Library. But it's also a unified format, so each program doesn't need to
implement its own parser, and users and developers don't have to wonder how
application XYZ decided to escape backslashes, in its config file.

How are they "the macOS equivalent of windows registry"? Or is that just a
generic techno-slur?

~~~
kitotik
I meant it in the sense that it turned into binary blobs that became less
accessible for humans to manage, and a place where both Apple and 3rd party
vendors started hiding magic stuff stored who-knows-where in a format that
isn’t easy to grep / find.

------
codezero
Reminds me a bit of the CVE about SAML authentication being screwed up by bad
XML parsers. Seems like a lot of low hanging fruit there still.

[0] [https://duo.com/blog/duo-finds-saml-vulnerabilities-
affectin...](https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-
multiple-implementations)

------
ray991
The author mentions that this bug saved him 1000s of hours in development. How
is a sandbox escape useful in development? Can someone give me an example?

~~~
0x0
If you're looking for 0day kernel exploits that might be popped from say
MobileSafari, having an unrestricted, unsandboxed non-root shell is a much
better starting point compared to a regular sandboxed app launched from xcode.
Or even just for inspecting the filesystem outside a regular app's restricted
container.

------
Twisell
I'm not in the security community and as an end user there seems to be two
lesson there:

-Apple should provide better audit tool so that security consultants don't need to rely on unpublished 0day exploits to find other exploits

-As an exposed user I really don't thank grey hat People that refrain from publishing 0day exploit for two frigging years for personal gain...

~~~
saagarjha
Apple said that they’d make research devices available to select people, but
as far as I can tell nobody seems to have gotten one. (Not to mention that
such a policy, even if it actually handed out devices, is fairly
exclusionary.)

------
panic
The section of the WHATWG HTML spec about parsing XHTML begins with this note:

 _> An XML parser, for the purposes of this specification, is a construct that
follows the rules given in XML to map a string of bytes or characters into a
Document object._

 _> Note: At the time of writing, no such rules actually exist._

What do the authors of HTML mean by this? Isn't there a spec for XML? There is
-- here's what it has to say about comments ([https://www.w3.org/TR/xml/#sec-
comments](https://www.w3.org/TR/xml/#sec-comments)):

    
    
        Comment ::= '<!--' ((Char - '-') | ('-' (Char - '-')))* '-->'
    

The HTML spec, on the other hand, writes out the token state machine
explicitly. There are ten states involved with parsing comments; here's one
([https://html.spec.whatwg.org/multipage/parsing.html#comment-...](https://html.spec.whatwg.org/multipage/parsing.html#comment-
state)):

    
    
        12.2.5.45 Comment state
        
        Consume the next input character:
         U+003C LESS-THAN SIGN (<)
          Append the current input character to
          the comment token's data. Switch to
          the comment less-than sign state.
         U+002D HYPHEN-MINUS (-)
          Switch to the comment end dash state.
         U+0000 NULL
          This is an unexpected-null-character
          parse error. Append a
          U+FFFD REPLACEMENT CHARACTER
          character to the comment token's data.
         EOF
          This is an eof-in-comment parse error.
          Emit the comment token. Emit an end-
          of-file token.
         Anything else
          Append the current input character to
          the comment token's data.
    

The spec defines what to do for every character, even characters that should
not appear in valid HTML. An HTML parser will behave exactly the same as
another HTML parser in all circumstances.

You can see the success of this approach on the real web; inconsistent HTML
parsing between browsers is no longer the issue it used to be 15 years ago. It
may be more work to write, but I wish HTML's precise, step-by-step format was
more common. Writing a spec as a list of rules makes it easier to implement
(as a first pass, you can just go line-by-line and translate it to code) and
reduces the chance of inconsistencies like the one in the article (and their
associated security implications).

~~~
ghettoimp
I am very skeptical. This state-machine approach seems much more like an
implementation than a specification. Having a reference implementation could
certainly be a good thing, but this doesn't even look like something one could
run and test against.

The declarative form of Comment, above, is wonderfully concise and clear when
compared to these several lines of imperative, update-this/goto-there style
alternative. You can see in your head what it should match without mentally
simulating these specific instructions against some imagined parser state.

There certainly can be a host of terrible issues with BNF-style grammars. When
they're just used as a notation to write down a bunch of rules, with no regard
to actually implementing these rules, the result can be a sprawling and
terribly ambiguous mess. For instance, this[1] is an abject disaster, chock
full of ambiguity and senseless distinctions.

But if one is prepared to take the effort to really write a machine-readable
grammar like this[2], the result is a straightforward, high-level, concise
spec that can be compiled into an implementation to boot. What's not to like?

[1] [http://sven.xtreme-eda.com/](http://sven.xtreme-eda.com/) [2]
[https://docs.python.org/3/reference/grammar.html](https://docs.python.org/3/reference/grammar.html)

------
codeisawesome
That made me shudder go all the people I know who won’t update their phones

~~~
saagarjha
If they know what they’re doing, Apple will have either blocked these invalid
apps from the App Store or started removing them.

------
Kikawala
XML is hard. Love that the fix is reminiscent of XKCD 927[1]

[1][https://xkcd.com/927/](https://xkcd.com/927/)

~~~
partyboat1586
Idk why your comment is down voted or flagged, the comic is relevant.

