This is a good explanation of an iOS bug that allowed someone to break out of the application sandbox. A summary:
What a crazy bug, and Siguza’s explanation is very cogent. Basically, it comes down to this:
- XML is terrible.
- iOS uses XML for Plists, and Plists are used everywhere in iOS (and MacOS).
- iOS’s sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.
So Siguza’s exploit – which granted an app full access to the entire file system, and more - uses malformed XML comments constructed in a way that one of iOS’s XML parsers sees its declaration of entitlements one way, and another XML parser sees it another way. The XML parser used to check whether an application should be allowed to launch doesn’t see the fishy entitlements because it thinks they’re inside a comment. The XML parser used to determine whether an already running application has permission to do things that require entitlements sees the fishy entitlements and grants permission.
This is fixed in the new iOS release, 13.5 beta 3.
Implementing 4 different parsers is just asking for trouble, and the “fix” is of the crappiest sort, bolting on more crap to check they’re doing the right thing in this single case. None of this is encouraging.
More commentary. Hacker News thread.