Psychic Paper: iOS Sandbox Escape (opens in new tab)

(siguza.github.io)

236 pointsmp3il5y ago56 comments

56 comments

This reminds me a lot of one of the original ways to run unsigned code on the Sony PSP.

If you made two directories:

    SomeApp
    SomeApp%

And then launch the folder with the % sign then the code that checks for valid signatures will check in the directory without the %, but the code that actually launches the binary will still run the code in the directory with the %.

So all you need to do is get any binary with a valid sig and put it in the SomeApp folder while putting the code you actually want to run in SomeApp%.

ancarda5y ago

Why did this happen? Was "%" significant in some way? i.e. maybe it was passing the path to sprintf?

Negitivefrags5y ago

Yep, that’s exactly it. And of course a lesson on why you need to understand the progeny of any string you pass as a format argument.

DividableMiddle5y ago

Any other PSP homebrew facts or resources you could share? The psp scene was my introduction to running modding.

saurik5y ago

A while back I filed a bug on libplist with some examples of the hilarious this-is-not-XML issues in Apple's userland plist parser, which people might find fun here as it is highly related to this issue.

https://github.com/libimobiledevice/libplist/issues/83

httgp5y ago

Jay, I just wanted to say thanks to all the groundbreaking work you’ve done in the jailbreaking scene. Ages ago I had an iPad Touch and I had so much fun jailbreaking it and playing around with Cydia tweaks.

tomphoolery5y ago

> I just hate GUIs for development, especially when you Google how to do something, and the answer is a series of 17 “click here and there”s that are no longer valid because all the GUI stuff moved somewhere else in the last update.

It's not just developer tools that suffer from this problem. I opened iMovie recently after not playing with it for almost 10 years, and was so flabbergasted at how everything worked. Took me almost 2 weeks to sync my own song to a series of cut video clips (cut out of larger videos, which was the main problem). Maybe I'm just an idiot, but googling around for solutions ended up with either out-of-date answers or completely unrelated problems.

I just wish that the app would use even one or two conventions from the 40-50 years of GUI research that has been done...

TwoBit5y ago

I'm convinced that the reason for the constant game of GUI musical chairs - of which Microsoft is the most guilty - is due to developers attempting to justify their employment.

Legogris5y ago

My experience has been the opposite - developers being resistant to frontend changes, which tend to get pushed through by UI/UX people (which is their job), or in more broken organizations, opinionated managers or executives.

TheSpiceIsLife5y ago

Software production busy work! New code, new UI, new already-out-of-date documentation.

Drives user engagement too: people spend longer in your app (working out how the fuck to use it, again!).

fit2rule5y ago

You're right that developers do this, but in this case I would say its because the designers have to justify their existence. as a class of developer.

An interface which lasts generations because its good is not the same, necessarily, as this years hot new ideology among the design elite.

noizejoy5y ago

The IT industry benefits from fashionable UIs (dark or bright, angular or rounded, 2D or 3D, etc.) and architectures (server centric, client centric, etc.) quite similarly to the fashion industry benefiting from rising and falling hemlines and wide vs skinny ties.

If you live long enough, you see cycles repeat.

pjmlp5y ago

Cycles are quite common in IT fashion industry, Microsoft isn't the only one playing the game, others are much worse.

Try to compare the Android best practices across all IOs since Android exists.

jedieaston5y ago

It’s hilarious that it was easier for me to adjust to FCPX than to try to move my amateur video editing brain to new iMovie, so much so that I just renew my trial once a year instead of try to use iMovie. They ported the iOS version and it shows (especially considering how many features are missing from iMovie 09).

galad875y ago

Actually iMovie on macOS is based con FCPX.

asiachick5y ago

Even many programming examples are long out of date. Google for how to do something and the top answers are 10-15 years old using jquery or C++11 etc...

jschwartzi5y ago

Maybe we should take this as a lesson that we should use the simplest marshalling format that adequately captures our use cases rather than using a swiss-army knife format like XML.

loeg5y ago

I agree in general. But XML as used in plists is actually not especially complicated, if you aren't trying to be a webbrowser and tolerate invalid input.

Your security-sensitive parser should not attempt to tolerate invalid input.

Probably you should not have multiple separate implementations of it, either.

kitotik5y ago

I’m not sure that there were much better choices available at the time. IIRC property lists date back to NextStep.

By the time stuff like JSON started popping up, plists were pervasive all throughout OS X. Typical legacy problem!

valleyer5y ago

Property lists in NeXTSTEP didn't use XML but rather a different text-based format.

https://developer.apple.com/library/archive/documentation/Co...

azinman25y ago

Plists support dates (json doesn’t explicitly), and has you explicitly type the contents, which can help make sure that when you want a string you don’t get an int.

trollied5y ago

I wouldn’t view it as a legacy problem. There’s no actual need to change to another format (JSON etc?) just for the sake of it.

saagarjha5y ago

Property lists have a JSON format, interestingly.

wooster5y ago

The format plists used before XML was very JSON-like. It had its own set of issues, however.

SlowRobotAhead5y ago

They could always drop XML for YAML and get more issues!

I dislike XML and would not chose it for my projects. But... in this case, it does seem like a good idea to require explicitly closed tags. Seems like it could remove 1000 error potentials for every 1 parser error.

Groxx5y ago

Yeah, an XML parser that allows invalid XML (tags must be closed, per the spec[1]) is pretty clearly a terrible choice for a security-sensitive purpose. Likely it was just oversight / accidental reuse, and it's a somewhat common error, but it's very much an engineering mistake and not an XML flaw.

[1] It's very clearly stated as item 2, in a 2-item list for well-formed-ness of documents: https://www.w3.org/TR/xml/#sec-well-formed

gwern5y ago

http://langsec.org/ !

0x8BADF00D5y ago

Problem is legacy software tends to use XML. iOS can be considered legacy at this point. Plists are prevalent at every level of iOS.

qubex5y ago

As somebody who was already a high school student deeply ‘into’ computer technology at the time, I perfectly remember the hype and release of XML.

IOS was released last week by mental accounting standards.

To hear both be branded as ‘legacy’ is, frankly... well, it makes me feel ancient.

2 more replies

azinman25y ago

So much has been rewritten you can’t really call it legacy at this point.

1 more reply

kitotik5y ago

Once binary plists were introduced, it was only a matter of time before it became the macOS equivalent of windows registry.

The fact that Apple is maintaining multiple parsers, and apparently added yet another in response to this bug, just smells bad.

ken5y ago

I thought the Windows Registry was reviled because it was a single database that held everything from user customization to device driver and boot configuration, in one file. It was contrasted with the Unix/Linux way, which was single-purpose text files, with the system-wide configuration in protected /etc files, and user-specific configuration in ~/. files

Plists are the best of both worlds. They're a file format rather than a system database, so user-specific config goes in ~/Library/, application-specific config goes in the *.app/ bundles, and system-wide config is in /System or /Library. But it's also a unified format, so each program doesn't need to implement its own parser, and users and developers don't have to wonder how application XYZ decided to escape backslashes, in its config file.

How are they "the macOS equivalent of windows registry"? Or is that just a generic techno-slur?

kitotik5y ago

I meant it in the sense that it turned into binary blobs that became less accessible for humans to manage, and a place where both Apple and 3rd party vendors started hiding magic stuff stored who-knows-where in a format that isn’t easy to grep / find.

azinman25y ago

It is far from the Windows registry. Everything is file-oriented, making it easy to backup or wipe away any given plist. The plists themselves are well named and located files that tell you what it is, and things don’t appear in multiple places. No program that gets installed needs to modify any system plists; in fact, apps pretty much never access plist that they don’t own. This last fact makes it so different from windows that you don’t see “plist repair apps” in the same way you do for windows.

Binary plists are identifiable to ascii plists, they’re just more compact. plutil is a utility that can convert them back and forth. Internally the plist classes can be passed either to load and they won’t bat an eye.

saagarjha5y ago

> Everything is file-oriented, making it easy to backup or wipe away any given plist.

Does cfprefsd react well to that these days?

1 more reply

geoffpado5y ago

…in OS X 10.2? In 2002?[0]

Seems like a significant amount of time.

[0]: https://en.wikipedia.org/wiki/Property_list#History

saagarjha5y ago

Property lists have been around since forever. They're NeXT technology.

codezero5y ago

Reminds me a bit of the CVE about SAML authentication being screwed up by bad XML parsers. Seems like a lot of low hanging fruit there still.

[0] https://duo.com/blog/duo-finds-saml-vulnerabilities-affectin...

ray9915y ago

The author mentions that this bug saved him 1000s of hours in development. How is a sandbox escape useful in development? Can someone give me an example?

0x05y ago

If you're looking for 0day kernel exploits that might be popped from say MobileSafari, having an unrestricted, unsandboxed non-root shell is a much better starting point compared to a regular sandboxed app launched from xcode. Or even just for inspecting the filesystem outside a regular app's restricted container.

Twisell5y ago

I'm not in the security community and as an end user there seems to be two lesson there:

-Apple should provide better audit tool so that security consultants don't need to rely on unpublished 0day exploits to find other exploits

-As an exposed user I really don't thank grey hat People that refrain from publishing 0day exploit for two frigging years for personal gain...

saagarjha5y ago

Apple said that they’d make research devices available to select people, but as far as I can tell nobody seems to have gotten one. (Not to mention that such a policy, even if it actually handed out devices, is fairly exclusionary.)

panic5y ago

The section of the WHATWG HTML spec about parsing XHTML begins with this note:

> An XML parser, for the purposes of this specification, is a construct that follows the rules given in XML to map a string of bytes or characters into a Document object.

> Note: At the time of writing, no such rules actually exist.

What do the authors of HTML mean by this? Isn't there a spec for XML? There is -- here's what it has to say about comments (https://www.w3.org/TR/xml/#sec-comments):

    Comment ::= '<!--' ((Char - '-') | ('-' (Char - '-')))* '-->'

The HTML spec, on the other hand, writes out the token state machine explicitly. There are ten states involved with parsing comments; here's one (https://html.spec.whatwg.org/multipage/parsing.html#comment-...):

    12.2.5.45 Comment state
    
    Consume the next input character:
     U+003C LESS-THAN SIGN (<)
      Append the current input character to
      the comment token's data. Switch to
      the comment less-than sign state.
     U+002D HYPHEN-MINUS (-)
      Switch to the comment end dash state.
     U+0000 NULL
      This is an unexpected-null-character
      parse error. Append a
      U+FFFD REPLACEMENT CHARACTER
      character to the comment token's data.
     EOF
      This is an eof-in-comment parse error.
      Emit the comment token. Emit an end-
      of-file token.
     Anything else
      Append the current input character to
      the comment token's data.

The spec defines what to do for every character, even characters that should not appear in valid HTML. An HTML parser will behave exactly the same as another HTML parser in all circumstances.

You can see the success of this approach on the real web; inconsistent HTML parsing between browsers is no longer the issue it used to be 15 years ago. It may be more work to write, but I wish HTML's precise, step-by-step format was more common. Writing a spec as a list of rules makes it easier to implement (as a first pass, you can just go line-by-line and translate it to code) and reduces the chance of inconsistencies like the one in the article (and their associated security implications).

ghettoimp5y ago

I am very skeptical. This state-machine approach seems much more like an implementation than a specification. Having a reference implementation could certainly be a good thing, but this doesn't even look like something one could run and test against.

The declarative form of Comment, above, is wonderfully concise and clear when compared to these several lines of imperative, update-this/goto-there style alternative. You can see in your head what it should match without mentally simulating these specific instructions against some imagined parser state.

There certainly can be a host of terrible issues with BNF-style grammars. When they're just used as a notation to write down a bunch of rules, with no regard to actually implementing these rules, the result can be a sprawling and terribly ambiguous mess. For instance, this[1] is an abject disaster, chock full of ambiguity and senseless distinctions.

But if one is prepared to take the effort to really write a machine-readable grammar like this[2], the result is a straightforward, high-level, concise spec that can be compiled into an implementation to boot. What's not to like?

[1] http://sven.xtreme-eda.com/ [2] https://docs.python.org/3/reference/grammar.html

codeisawesome5y ago

That made me shudder go all the people I know who won’t update their phones

saagarjha5y ago

If they know what they’re doing, Apple will have either blocked these invalid apps from the App Store or started removing them.

Kikawala5y ago

XML is hard. Love that the fix is reminiscent of XKCD 927[1]

[1]https://xkcd.com/927/

partyboat15865y ago

Idk why your comment is down voted or flagged, the comic is relevant.

j / k navigate · click thread line to collapse

56 comments

Negitivefrags5y ago

This reminds me a lot of one of the original ways to run unsigned code on the Sony PSP.

If you made two directories:

    SomeApp
    SomeApp%

So all you need to do is get any binary with a valid sig and put it in the SomeApp folder while putting the code you actually want to run in SomeApp%.

ancarda5y ago

Why did this happen? Was "%" significant in some way? i.e. maybe it was passing the path to sprintf?

Negitivefrags5y ago

Yep, that’s exactly it. And of course a lesson on why you need to understand the progeny of any string you pass as a format argument.

DividableMiddle5y ago

Any other PSP homebrew facts or resources you could share? The psp scene was my introduction to running modding.

saurik5y ago

https://github.com/libimobiledevice/libplist/issues/83

httgp5y ago

tomphoolery5y ago

I just wish that the app would use even one or two conventions from the 40-50 years of GUI research that has been done...

TwoBit5y ago

I'm convinced that the reason for the constant game of GUI musical chairs - of which Microsoft is the most guilty - is due to developers attempting to justify their employment.

Legogris5y ago

TheSpiceIsLife5y ago

Software production busy work! New code, new UI, new already-out-of-date documentation.

Drives user engagement too: people spend longer in your app (working out how the fuck to use it, again!).

fit2rule5y ago

You're right that developers do this, but in this case I would say its because the designers have to justify their existence. as a class of developer.

An interface which lasts generations because its good is not the same, necessarily, as this years hot new ideology among the design elite.

noizejoy5y ago

If you live long enough, you see cycles repeat.

pjmlp5y ago

Cycles are quite common in IT fashion industry, Microsoft isn't the only one playing the game, others are much worse.

Try to compare the Android best practices across all IOs since Android exists.

jedieaston5y ago

galad875y ago

Actually iMovie on macOS is based con FCPX.

asiachick5y ago

Even many programming examples are long out of date. Google for how to do something and the top answers are 10-15 years old using jquery or C++11 etc...

jschwartzi5y ago

Maybe we should take this as a lesson that we should use the simplest marshalling format that adequately captures our use cases rather than using a swiss-army knife format like XML.

loeg5y ago

I agree in general. But XML as used in plists is actually not especially complicated, if you aren't trying to be a webbrowser and tolerate invalid input.

Your security-sensitive parser should not attempt to tolerate invalid input.

Probably you should not have multiple separate implementations of it, either.

kitotik5y ago

I’m not sure that there were much better choices available at the time. IIRC property lists date back to NextStep.

By the time stuff like JSON started popping up, plists were pervasive all throughout OS X. Typical legacy problem!

valleyer5y ago

Property lists in NeXTSTEP didn't use XML but rather a different text-based format.

https://developer.apple.com/library/archive/documentation/Co...

azinman25y ago

Plists support dates (json doesn’t explicitly), and has you explicitly type the contents, which can help make sure that when you want a string you don’t get an int.

trollied5y ago

I wouldn’t view it as a legacy problem. There’s no actual need to change to another format (JSON etc?) just for the sake of it.

saagarjha5y ago

Property lists have a JSON format, interestingly.

wooster5y ago

The format plists used before XML was very JSON-like. It had its own set of issues, however.

SlowRobotAhead5y ago

They could always drop XML for YAML and get more issues!

Groxx5y ago

[1] It's very clearly stated as item 2, in a 2-item list for well-formed-ness of documents: https://www.w3.org/TR/xml/#sec-well-formed

gwern5y ago

http://langsec.org/ !

0x8BADF00D5y ago

Problem is legacy software tends to use XML. iOS can be considered legacy at this point. Plists are prevalent at every level of iOS.

qubex5y ago

As somebody who was already a high school student deeply ‘into’ computer technology at the time, I perfectly remember the hype and release of XML.

IOS was released last week by mental accounting standards.

To hear both be branded as ‘legacy’ is, frankly... well, it makes me feel ancient.

2 more replies

azinman25y ago

So much has been rewritten you can’t really call it legacy at this point.

1 more reply

kitotik5y ago

Once binary plists were introduced, it was only a matter of time before it became the macOS equivalent of windows registry.

The fact that Apple is maintaining multiple parsers, and apparently added yet another in response to this bug, just smells bad.

ken5y ago

How are they "the macOS equivalent of windows registry"? Or is that just a generic techno-slur?

kitotik5y ago

azinman25y ago

saagarjha5y ago

> Everything is file-oriented, making it easy to backup or wipe away any given plist.

Does cfprefsd react well to that these days?

1 more reply

geoffpado5y ago

…in OS X 10.2? In 2002?[0]

Seems like a significant amount of time.

[0]: https://en.wikipedia.org/wiki/Property_list#History

saagarjha5y ago

Property lists have been around since forever. They're NeXT technology.

codezero5y ago

Reminds me a bit of the CVE about SAML authentication being screwed up by bad XML parsers. Seems like a lot of low hanging fruit there still.

[0] https://duo.com/blog/duo-finds-saml-vulnerabilities-affectin...

ray9915y ago

The author mentions that this bug saved him 1000s of hours in development. How is a sandbox escape useful in development? Can someone give me an example?

0x05y ago

Twisell5y ago

I'm not in the security community and as an end user there seems to be two lesson there:

-Apple should provide better audit tool so that security consultants don't need to rely on unpublished 0day exploits to find other exploits

-As an exposed user I really don't thank grey hat People that refrain from publishing 0day exploit for two frigging years for personal gain...

saagarjha5y ago

panic5y ago

The section of the WHATWG HTML spec about parsing XHTML begins with this note:

> An XML parser, for the purposes of this specification, is a construct that follows the rules given in XML to map a string of bytes or characters into a Document object.

> Note: At the time of writing, no such rules actually exist.

What do the authors of HTML mean by this? Isn't there a spec for XML? There is -- here's what it has to say about comments (https://www.w3.org/TR/xml/#sec-comments):

    Comment ::= '<!--' ((Char - '-') | ('-' (Char - '-')))* '-->'

    12.2.5.45 Comment state
    
    Consume the next input character:
     U+003C LESS-THAN SIGN (<)
      Append the current input character to
      the comment token's data. Switch to
      the comment less-than sign state.
     U+002D HYPHEN-MINUS (-)
      Switch to the comment end dash state.
     U+0000 NULL
      This is an unexpected-null-character
      parse error. Append a
      U+FFFD REPLACEMENT CHARACTER
      character to the comment token's data.
     EOF
      This is an eof-in-comment parse error.
      Emit the comment token. Emit an end-
      of-file token.
     Anything else
      Append the current input character to
      the comment token's data.

The spec defines what to do for every character, even characters that should not appear in valid HTML. An HTML parser will behave exactly the same as another HTML parser in all circumstances.

ghettoimp5y ago

[1] http://sven.xtreme-eda.com/ [2] https://docs.python.org/3/reference/grammar.html

codeisawesome5y ago

That made me shudder go all the people I know who won’t update their phones

saagarjha5y ago

If they know what they’re doing, Apple will have either blocked these invalid apps from the App Store or started removing them.

Kikawala5y ago

XML is hard. Love that the fix is reminiscent of XKCD 927[1]

[1]https://xkcd.com/927/

partyboat15865y ago

Idk why your comment is down voted or flagged, the comic is relevant.

j / k navigate · click thread line to collapse