Just to add into this… sometimes you exploit multiple things at a time. People writing secure systems try to put as many walls between parts of their code, so if you do manage to access one part, it won’t allow further access. Here’s an example of where it broke….
So iPhones have pretty strong security. Apple really doesn’t want you modifying the device. This is a short version of how the old ‘slide to Jailbreak’ used to work.
Someone found one exploit in the PDF renderer on the iPhone that just caused the browser to crash. After some investigating, they figured out that instead of crashing, you can craft a very specific pdf that’ll allow an attacker to run any code it wanted as the browser. But it had to be very carefully written, otherwise the browser would just crash. Apple had good security. A program can’t modify the operating system. So instead of this being a severe bug, it’s just a medium sized one.
Another person found separate bug that let any program that’s running modify the operating system. This is considered a medium sized bug.
Normally your phone won’t load an operating system that isn’t signed by apple, but a third person found a third bug that allows booting up an “unlocked” operating system.
So a fourth person got creative, and glued these 3 bugs together. Use the PDF bug (#1) to run arbitrary code. The arbitrary code runs a privilege escalation (bug #2). Then it loaded the unlocked bootloader (bug #3) into the phone, which allowed you to run an unlocked operating system. They then published this special, buggy PDF on the internet, on a page you could visit. You could then visit that page, swipe, and unlock your phone.
Apple ended up fixing all those bugs, but this is an example of how these cracks can line up to do something much bigger.
Most exploits are about stacking things together. If you can trick the target system into running code, it’s not the bug itself, but the access it allows.
Latest Answers