Hacker News new | past | comments | ask | show | jobs | submit login
Psychic Paper: iOS Sandbox Escape (siguza.github.io)
236 points by mp3il on May 1, 2020 | hide | past | favorite | 56 comments

This reminds me a lot of one of the original ways to run unsigned code on the Sony PSP.

If you made two directories:

And then launch the folder with the % sign then the code that checks for valid signatures will check in the directory without the %, but the code that actually launches the binary will still run the code in the directory with the %.

So all you need to do is get any binary with a valid sig and put it in the SomeApp folder while putting the code you actually want to run in SomeApp%.

Why did this happen? Was "%" significant in some way? i.e. maybe it was passing the path to sprintf?

Yep, that’s exactly it. And of course a lesson on why you need to understand the progeny of any string you pass as a format argument.

Any other PSP homebrew facts or resources you could share? The psp scene was my introduction to running modding.

A while back I filed a bug on libplist with some examples of the hilarious this-is-not-XML issues in Apple's userland plist parser, which people might find fun here as it is highly related to this issue.


Jay, I just wanted to say thanks to all the groundbreaking work you’ve done in the jailbreaking scene. Ages ago I had an iPad Touch and I had so much fun jailbreaking it and playing around with Cydia tweaks.

> I just hate GUIs for development, especially when you Google how to do something, and the answer is a series of 17 “click here and there”s that are no longer valid because all the GUI stuff moved somewhere else in the last update.

It's not just developer tools that suffer from this problem. I opened iMovie recently after not playing with it for almost 10 years, and was so flabbergasted at how everything worked. Took me almost 2 weeks to sync my own song to a series of cut video clips (cut out of larger videos, which was the main problem). Maybe I'm just an idiot, but googling around for solutions ended up with either out-of-date answers or completely unrelated problems.

I just wish that the app would use even one or two conventions from the 40-50 years of GUI research that has been done...

I'm convinced that the reason for the constant game of GUI musical chairs - of which Microsoft is the most guilty - is due to developers attempting to justify their employment.

My experience has been the opposite - developers being resistant to frontend changes, which tend to get pushed through by UI/UX people (which is their job), or in more broken organizations, opinionated managers or executives.

Software production busy work! New code, new UI, new already-out-of-date documentation.

Drives user engagement too: people spend longer in your app (working out how the fuck to use it, again!).

You're right that developers do this, but in this case I would say its because the designers have to justify their existence. as a class of developer.

An interface which lasts generations because its good is not the same, necessarily, as this years hot new ideology among the design elite.

The IT industry benefits from fashionable UIs (dark or bright, angular or rounded, 2D or 3D, etc.) and architectures (server centric, client centric, etc.) quite similarly to the fashion industry benefiting from rising and falling hemlines and wide vs skinny ties.

If you live long enough, you see cycles repeat.

Cycles are quite common in IT fashion industry, Microsoft isn't the only one playing the game, others are much worse.

Try to compare the Android best practices across all IOs since Android exists.

It’s hilarious that it was easier for me to adjust to FCPX than to try to move my amateur video editing brain to new iMovie, so much so that I just renew my trial once a year instead of try to use iMovie. They ported the iOS version and it shows (especially considering how many features are missing from iMovie 09).

Actually iMovie on macOS is based con FCPX.

Even many programming examples are long out of date. Google for how to do something and the top answers are 10-15 years old using jquery or C++11 etc...

Maybe we should take this as a lesson that we should use the simplest marshalling format that adequately captures our use cases rather than using a swiss-army knife format like XML.

I agree in general. But XML as used in plists is actually not especially complicated, if you aren't trying to be a webbrowser and tolerate invalid input.

Your security-sensitive parser should not attempt to tolerate invalid input.

Probably you should not have multiple separate implementations of it, either.

I’m not sure that there were much better choices available at the time. IIRC property lists date back to NextStep.

By the time stuff like JSON started popping up, plists were pervasive all throughout OS X. Typical legacy problem!

Property lists in NeXTSTEP didn't use XML but rather a different text-based format.


Plists support dates (json doesn’t explicitly), and has you explicitly type the contents, which can help make sure that when you want a string you don’t get an int.

I wouldn’t view it as a legacy problem. There’s no actual need to change to another format (JSON etc?) just for the sake of it.

Property lists have a JSON format, interestingly.

The format plists used before XML was very JSON-like. It had its own set of issues, however.

They could always drop XML for YAML and get more issues!

I dislike XML and would not chose it for my projects. But... in this case, it does seem like a good idea to require explicitly closed tags. Seems like it could remove 1000 error potentials for every 1 parser error.

Yeah, an XML parser that allows invalid XML (tags must be closed, per the spec[1]) is pretty clearly a terrible choice for a security-sensitive purpose. Likely it was just oversight / accidental reuse, and it's a somewhat common error, but it's very much an engineering mistake and not an XML flaw.

[1] It's very clearly stated as item 2, in a 2-item list for well-formed-ness of documents: https://www.w3.org/TR/xml/#sec-well-formed

Problem is legacy software tends to use XML. iOS can be considered legacy at this point. Plists are prevalent at every level of iOS.

As somebody who was already a high school student deeply ‘into’ computer technology at the time, I perfectly remember the hype and release of XML.

IOS was released last week by mental accounting standards.

To hear both be branded as ‘legacy’ is, frankly... well, it makes me feel ancient.

You shouldn't feel too ancient, as the label is grossly misused by GP in characterizing iOS and XML :-).

XML came out in 1998, iOS in 2007 (or a year later for the SDK). It’s closer to XML than to today.

So much has been rewritten you can’t really call it legacy at this point.

Fair enough. When I worked for Apple, I would often take a gander at the iOS source code. There was a lot of legacy stuff in there, as in, "do not modify this method, we don't know what it does" in comments. There were certainly legacy components in there from many years back, and it didn't seem like tech debt was on the radar. At least when I was there.

Certainly there are various bits that are legacy and behave like that, but generally speaking, calling the entire thing legacy is a bit of a stretch. Also considering it started in 2007, I think the definition of legacy is quite short termed here. It also implies a negativity, that if you’re not jumping from technology to technology then you’re doing something wrong. I disagree with that viewpoint.

As someone currently taking a break from reverse engineering the internals of CoreGraphicsServices on macOS, I can't resist saying that iOS can't possibly be as legacy as this.

Once binary plists were introduced, it was only a matter of time before it became the macOS equivalent of windows registry.

The fact that Apple is maintaining multiple parsers, and apparently added yet another in response to this bug, just smells bad.

I thought the Windows Registry was reviled because it was a single database that held everything from user customization to device driver and boot configuration, in one file. It was contrasted with the Unix/Linux way, which was single-purpose text files, with the system-wide configuration in protected /etc files, and user-specific configuration in ~/. files

Plists are the best of both worlds. They're a file format rather than a system database, so user-specific config goes in ~/Library/, application-specific config goes in the *.app/ bundles, and system-wide config is in /System or /Library. But it's also a unified format, so each program doesn't need to implement its own parser, and users and developers don't have to wonder how application XYZ decided to escape backslashes, in its config file.

How are they "the macOS equivalent of windows registry"? Or is that just a generic techno-slur?

I meant it in the sense that it turned into binary blobs that became less accessible for humans to manage, and a place where both Apple and 3rd party vendors started hiding magic stuff stored who-knows-where in a format that isn’t easy to grep / find.

It is far from the Windows registry. Everything is file-oriented, making it easy to backup or wipe away any given plist. The plists themselves are well named and located files that tell you what it is, and things don’t appear in multiple places. No program that gets installed needs to modify any system plists; in fact, apps pretty much never access plist that they don’t own. This last fact makes it so different from windows that you don’t see “plist repair apps” in the same way you do for windows.

Binary plists are identifiable to ascii plists, they’re just more compact. plutil is a utility that can convert them back and forth. Internally the plist classes can be passed either to load and they won’t bat an eye.

> Everything is file-oriented, making it easy to backup or wipe away any given plist.

Does cfprefsd react well to that these days?

Most plists are NOT NSUserDefaults / CFPreferences

Right, but those would be the closest analog to the registry would it not?

Kind of but that doesn’t make it the same, especially when it doesn’t suffer from all the issues that plague the registry.

…in OS X 10.2? In 2002?[0]

Seems like a significant amount of time.

[0]: https://en.wikipedia.org/wiki/Property_list#History

Property lists have been around since forever. They're NeXT technology.

Reminds me a bit of the CVE about SAML authentication being screwed up by bad XML parsers. Seems like a lot of low hanging fruit there still.

[0] https://duo.com/blog/duo-finds-saml-vulnerabilities-affectin...

The author mentions that this bug saved him 1000s of hours in development. How is a sandbox escape useful in development? Can someone give me an example?

If you're looking for 0day kernel exploits that might be popped from say MobileSafari, having an unrestricted, unsandboxed non-root shell is a much better starting point compared to a regular sandboxed app launched from xcode. Or even just for inspecting the filesystem outside a regular app's restricted container.

I'm not in the security community and as an end user there seems to be two lesson there:

-Apple should provide better audit tool so that security consultants don't need to rely on unpublished 0day exploits to find other exploits

-As an exposed user I really don't thank grey hat People that refrain from publishing 0day exploit for two frigging years for personal gain...

Apple said that they’d make research devices available to select people, but as far as I can tell nobody seems to have gotten one. (Not to mention that such a policy, even if it actually handed out devices, is fairly exclusionary.)

The section of the WHATWG HTML spec about parsing XHTML begins with this note:

> An XML parser, for the purposes of this specification, is a construct that follows the rules given in XML to map a string of bytes or characters into a Document object.

> Note: At the time of writing, no such rules actually exist.

What do the authors of HTML mean by this? Isn't there a spec for XML? There is -- here's what it has to say about comments (https://www.w3.org/TR/xml/#sec-comments):

    Comment ::= '<!--' ((Char - '-') | ('-' (Char - '-')))* '-->'
The HTML spec, on the other hand, writes out the token state machine explicitly. There are ten states involved with parsing comments; here's one (https://html.spec.whatwg.org/multipage/parsing.html#comment-...): Comment state
    Consume the next input character:
     U+003C LESS-THAN SIGN (<)
      Append the current input character to
      the comment token's data. Switch to
      the comment less-than sign state.
     U+002D HYPHEN-MINUS (-)
      Switch to the comment end dash state.
     U+0000 NULL
      This is an unexpected-null-character
      parse error. Append a
      character to the comment token's data.
      This is an eof-in-comment parse error.
      Emit the comment token. Emit an end-
      of-file token.
     Anything else
      Append the current input character to
      the comment token's data.
The spec defines what to do for every character, even characters that should not appear in valid HTML. An HTML parser will behave exactly the same as another HTML parser in all circumstances.

You can see the success of this approach on the real web; inconsistent HTML parsing between browsers is no longer the issue it used to be 15 years ago. It may be more work to write, but I wish HTML's precise, step-by-step format was more common. Writing a spec as a list of rules makes it easier to implement (as a first pass, you can just go line-by-line and translate it to code) and reduces the chance of inconsistencies like the one in the article (and their associated security implications).

I am very skeptical. This state-machine approach seems much more like an implementation than a specification. Having a reference implementation could certainly be a good thing, but this doesn't even look like something one could run and test against.

The declarative form of Comment, above, is wonderfully concise and clear when compared to these several lines of imperative, update-this/goto-there style alternative. You can see in your head what it should match without mentally simulating these specific instructions against some imagined parser state.

There certainly can be a host of terrible issues with BNF-style grammars. When they're just used as a notation to write down a bunch of rules, with no regard to actually implementing these rules, the result can be a sprawling and terribly ambiguous mess. For instance, this[1] is an abject disaster, chock full of ambiguity and senseless distinctions.

But if one is prepared to take the effort to really write a machine-readable grammar like this[2], the result is a straightforward, high-level, concise spec that can be compiled into an implementation to boot. What's not to like?

[1] http://sven.xtreme-eda.com/ [2] https://docs.python.org/3/reference/grammar.html

That made me shudder go all the people I know who won’t update their phones

If they know what they’re doing, Apple will have either blocked these invalid apps from the App Store or started removing them.

XML is hard. Love that the fix is reminiscent of XKCD 927[1]


Idk why your comment is down voted or flagged, the comic is relevant.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact