iOS XML Bug

2020-05-07 14:56

iOS uses XML for Plists, and Plists are used everywhere in iOS. iOS's sandboxing system depends upon three different XML parsers, which interpret slightly invalid XML input in slightly different ways.

So Siguza's exploit - which granted an app full access to the entire file system, and more - uses malformed XML comments constructed in a way that one of iOS's XML parsers sees its declaration of entitlements one way, and another XML parser sees it another way.

The XML parser used to check whether an application should be allowed to launch doesn't see the fishy entitlements because it thinks they're inside a comment.

The XML parser used to determine whether an already running application has permission to do things that require entitlements sees the fishy entitlements and grants permission.

Implementing 4 different parsers is just asking for trouble, and the "Fix" is of the crappiest sort, bolting on more crap to check they're doing the right thing in this single case.

News URL

https://www.schneier.com/blog/archives/2020/05/ios_xml_bug.html

#IOS