However, if I am reading this correctly, your PoC falls in the category described here: https://react2shell.com/
> Anything that requires the developer to have explicitly exposed dangerous functionality to the client is not a valid PoC. Common examples we've seen in supposed "PoCs" are vm#runInThisContext, child_process#exec, and fs#writeFile.
> This would only be exploitable if you had consciously chosen to let clients invoke these, which would be dangerous no matter what. The genuine vulnerability does not have this constraint. In Next.js, the list of server functions is managed for you, and does not contain these.
Context: This is from Lachlan Davidson, the reporter of the vulnerability
Your lump of AI-generated slop has detracted from the response to an important vulnerability. Congratulations. Your PoC is invalid and you should delete it.
At least they didn't use 3d-generated hands holding fake phones this time. The uncanny valley in prior presentations was jarring when they'd go to a 3d "human hand"
but they haven't, the article says the "private" community still has exploits and apple patches them. The public, like the dev, for some reason, don't anymore.
They're exclusive to private communities because they're very expensive, and getting more expensive over time; in other words, Apple's strategy has driven the cost of exploiting iOS up.
Anything public is dead, which is what you want to see.
I’m not sure I agree with the premise here, although I agree with the conclusion w.r.t Apple specifically.
I’m 100% positive from experience doing VR in several non-iOS spaces that increased exploit value leads to fewer published public exploits, but! This is not a sign that there are fewer available exploits or that the platform is more difficult to exploit, just a sign that multiple (and sometimes large numbers) of competing factions are hoarding exploits privately that might otherwise be released and subsequently fixed.
As a complementary axiom, I believe that exploit value follows target value more closely than it does exploit difficulty, because the supply of competent vulnerability researchers is more constrained than the number of available targets. That is to say, someone will buy a simple exploit that pops a high value target (hello, shitty Android phones) for much more money than a complex exploit that pops a low value target. There are plenty of devices with high exploit value and low exploit publication rate that also have garbage security.
With that said, Apple specifically are a special (and perhaps the only) case where they are “winning” and people are genuinely giving up on research because the results aren’t worth the value. I just don’t think this follows across the industry.
IOS requires so many exploits in the chain since they effectively sign system calls, and capabilities by each app at two steps. So you may be able to interact with another process, but only whitelisted processes. The kernel is also Immutable so persistence is impossible. They do a level of boundary checks that only Apple can do, and also have special telemetry flags on critical processes that either mean they're looking to end of life a pathway.
No other OS can restrict on this level and it makes it so not only do you need an exploit for say the Javascript engine, you also need an exploit for like 10 other pathways. The reason for this is since the kernel is immutable and checked out the wazoo, you get "Jailbreaks" by modifying different services and system processes and getting a capability from those apps. Which is where the exploit is required for them or an approved peer. But apple also has telemtry for what each app is doing with eachother.
I don't think I reach the deeper questions here, and pretty much just get back to "if it was cheap, Apple would have killed it already"; in that set of circumstances there can't be viable public exploits (or broad workable bug classes to fish from) to work with.
Sucks if you're part of a public jailbreaking community, but, of course, good if you're a user.
I agree with this. I also agree that there's no preferable situation. Apple have done a great job building mitigations and it shows in how difficult, expensive, and rare it is to fully exploit their platforms. I certainly wasn't intending to form a counter-argument that public exploits existing would be a positive signal, or that there's a preferable alternative situation.
My only point was that "anything public is dead is what you want to see" is not a particularly useful rubric in general. I get nervous when I see statements that suggest an absence of public exploit material or high "bid" price for grey market exploits as evidence that a platform is less vulnerable. My experience suggests this isn't really how the market works in general. There are way too many additional factors that affect both pricing and publication to use "public exploit availability" or "grey-market bid price" as a signal about a platform's security posture overall.
Anyway, reading back, I realize that you specifically weren't trying to draw that conclusion, but sibling comments are now - and it seems to be a really easy trap to fall into. See: every "security journalism" outlet every time a broker posts an Android bid that's higher than their standing iOS bid, or vendors and OEMs claiming their devices are secure because no public exploits exist.
But it's still more of obfuscation. You're effectively reducing the pool of researchers to those most likely to turn to the dark market. There's an entire zero-day industry privately developing exploits, and the public sees none of it. Sure, low-resource attackers can probably forget about exploiting iOS, but stuff like Pegasus still happens regularly.
Literally the alternative is more viable vulnerabilities. It's hard to understand a coherent argument that favors that over what we have now. We're in this situation because Apple has gotten good at killing whole bug classes. That's exactly what users want.
Is this actually true? Jailbreaks are more or less the same exploits used by things like Pegasus, the exploits are probably worth more to the individuals that discover them than the ability to give their friends access to side loaded apps
That's the rub of relative integrity. It's variably easier for some to rationalize taking the cash, even if that giant pile of coin is likely to lead to the imprisonment, deaths, and/or torturing of others for better or for worse.
│ Total │ │ 2,102,742 │ 622,848 │ 78,507,465 │ 1,670,798,000 │ 1,752,031,055 │ $1283.69 │
reply